Curator over SSL

ympark · June 9, 2016, 9:12am

Hi,

Thank you for providing such good applications!

I am using Elasticsearch.curator to manage indices. Recently I started working with a Security plugin (Search Guard, Not Shield).

Basically my problem is curator with SSL.
If I specify '--ssl-no-validate', it works but it generates warning message, which looks from urllib..

This is the command I executed:
curator --use_ssl --host my_host.com --http_auth xxx:yyy --ssl-no-validate show indices --all-indices

This is the warning message:

..../lib/python2.7/site-packages/urllib3-1.15-py2.7.egg/urllib3/connectionpool.py:821: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: Advanced Usage - urllib3 2.1.0 documentation

I am not a Python expert so do not how to suppress these messages..

So if I try with '--certificate', I have got connection errors.
curator --use_ssl --host my_host.com --http_auth xxx:yyy --certificate /path/to/truststore.pem --debug show indices --all-indices

This is the last part of errors:

2016-06-09 09:35:22,972 DEBUG elasticsearch log_request_fail:90 > None
2016-06-09 09:35:22,973 DEBUG urllib3.util.retry from_int:164 Converted retries value: False -> Retry(total=False, connect=None, read=None, redirect=0)
2016-06-09 09:35:22,973 INFO urllib3.connectionpool _new_conn:788 Starting new HTTPS connection (4): ves-ebi-29.ebi.ac.uk
2016-06-09 09:35:23,003 WARNING elasticsearch log_request_fail:82 GET http://my_host.com:9200/ [status:N/A request:0.030s]
Traceback (most recent call last):
File "build/bdist.linux-x86_64/egg/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
File "build/bdist.linux-x86_64/egg/urllib3/connectionpool.py", line 578, in urlopen
chunked=chunked)
File "build/bdist.linux-x86_64/egg/urllib3/connectionpool.py", line 351, in _make_request
self._validate_conn(conn)
File "build/bdist.linux-x86_64/egg/urllib3/connectionpool.py", line 814, in _validate_conn
conn.connect()
File "build/bdist.linux-x86_64/egg/urllib3/connection.py", line 296, in connect
cert = self.sock.getpeercert()
File "/.../python2.7.11/lib/python2.7/ssl.py", line 649, in getpeercert
return self._sslobj.peer_certificate(binary_form)
SystemError: error return without exception set
2016-06-09 09:35:23,003 DEBUG elasticsearch log_request_fail:90 > None
2016-06-09 09:35:23,003 ERROR curator.cli.utils get_client:140 Connection failure.

Can someone please give some advice that I can try?

Thanks in advance!
Youngmi.

theuntergeek · June 10, 2016, 4:00pm

I know nothing about Search Guard, so I can't be of much specific help. It seems to me that the certificate you provided is not the appropriate, valid CA certificate, which is what --certificate is supposed to point to. Regardless, you can't suppress the urllib3 message when using --ssl-no-validate. It is a warning that you are not verifying the security chain. It doesn't mean that the transaction is not going over SSL, just that security cannot be guaranteed because the certificate chain is unverified.

Depending on how Search Guard works, you might be able to use --client-cert and --client-key (generated and signed by the same CA that you used for the security solution you're using).

ympark · June 13, 2016, 7:32am

Thank you for the reply! I will try the two parameters instead!