Connecting to Elasticsearch via Python with SSL and client certificate --> CERTIFICATE_VERIFY_FAILED

(John T) #1

I am finding an amazing lack of information on how exactly to configure this.

I am using ES 2.3.2 and Python 3.2.

My cluster is behind a reverse proxy, so I have an SSL endpoint that requires a client certificate.

  1. SSL is provided via a publicly signed certificate
  2. My client certificate is self-signed, and the root CA I used to sign it is installed on the server (and the certs are working fine in calls from my .NET api).

I am attempting to create my Elasticsearch client with:

client = Elasticsearch(hosts=[], timeout=80, use_ssl=True, verify_certs=True, ca_certs=ssl_cert_chain, client_cert=cert_file_path, client_key=key_file_path)

I am trying to figure out exactly what should be supplied in the parameters. I am assuming that:

client_cert: This is a pem containing my client certificate
client_key: This is the RSA decrypted key for my client certificate

ca_certs: What exactly do I need here:
-- Do I need my certificate chain for the SSL cert so that the SSL connection can be created?
-- Or do I need to have the root CA that I used to self-sign my client certificcate?
-- Some combination of the two?

I can use:

openssl verify -CAfile [my root CA].pem [my client cert].pem

And it passes validation.

I have tried various inputs to ca_certs, but I am stuck on the following error when a request is actually issued:

Traceback (most recent call last):
  File "E:\Source\Repos\OfficeCustomerVoice\UserExperience\OCVClusteringWebAPI\env3\lib\site-packages\urllib3\", line 578, in urlopen
  File "E:\Source\Repos\OfficeCustomerVoice\UserExperience\OCVClusteringWebAPI\env3\lib\site-packages\urllib3\", line 351, in _make_request
  File "E:\Source\Repos\OfficeCustomerVoice\UserExperience\OCVClusteringWebAPI\env3\lib\site-packages\urllib3\", line 814, in _validate_conn
  File "E:\Source\Repos\OfficeCustomerVoice\UserExperience\OCVClusteringWebAPI\env3\lib\site-packages\urllib3\", line 289, in connect
  File "E:\Source\Repos\OfficeCustomerVoice\UserExperience\OCVClusteringWebAPI\env3\lib\site-packages\urllib3\util\", line 308, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "C:\Users\jthoni\AppData\Local\Continuum\Anaconda3-2-3\lib\", line 365, in wrap_socket
  File "C:\Users\jthoni\AppData\Local\Continuum\Anaconda3-2-3\lib\", line 583, in __init__
  File "C:\Users\jthoni\AppData\Local\Continuum\Anaconda3-2-3\lib\", line 810, in do_handshake
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

What exactly needs to be passed through in order to communicate correctly?


How to get certificate from Windows MY store for ES call in python
(John T) #2


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.