Curator ssl_no_validate: True helm option doesn't work

I needed to enable TLS on elasticsearch just to make pods stable after restart(they didn't get up if TLS is disabled). I don't want to have any TLS validation and so on just to make things easier (we have security enabled on higher level)

All the components like kibana, fluentd started well but I see there is an issue with Curator.

@theuntergeek, please have a look and suggest what would be the easiest way to deal with enabled TLS and Curator.

  config_yml: |-
    ---
    client:
      hosts:
        - elasticsearch-master
      port: 9200
      # url_prefix:
      use_ssl: True
      # certificate:
      # client_cert:
      # client_key:
      ssl_no_validate: True
      http_auth: "elastic:password"

Curator version:

image:
  repository: untergeek/curator
  tag: 5.7.6

Chart version:

apiVersion: v1
appVersion: "5.5.4"
description: A Helm chart for Elasticsearch Curator
name: elasticsearch-curator
version: 2.0.2
home: https://github.com/elastic/curator
keywords:
- curator
- elasticsearch
- elasticsearch-curator
sources:
- https://github.com/kubernetes/charts/elasticsearch-curator
- https://github.com/pires/docker-elasticsearch-curator
maintainers:
  - name: desaintmartin
    email: cedric.dsm@gmail.com
  - name: gianrubio
    email: gianrubio@gmail.com

Error:

{"type": "server", "timestamp": "2019-11-05T23:12:06,102+0000", "level": "WARN", "component": "o.e.h.AbstractHttpServerTransport", "cluster.name": "elasticsearch", "node.name": "elasticsearch-master-0", "cluster.uuid": "PBFsI5fPThiXUnKdMY5qhQ", "node.id": "6I0v-OXPSd-tcq-CK3SZhg",  "message": "caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=0.0.0.0/0.0.0.0:9200, remoteAddress=/172.30.182.133:59712}" , 
"stacktrace": ["io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca",
"at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472) ~[netty-codec-4.1.35.Final.jar:4.1.35.Final]",
"at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-codec-4.1.35.Final.jar:4.1.35.Final]",
"at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) [netty-transport-4.1.35.Final.jar:4.1.35.Final]",
"at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) [netty-transport-4.1.35.Final.jar:4.1.35.Final]",
"at io.netty.channel.Ab

It’s complaining about the CA, the certificate authority. I can’t see that one is being used with a quick look at what you’ve shared here. The error even seems to be at the Java level, not the python level where Curator would be reporting it. In any case, it would need to be specified for both Elasticsearch and Curator.

Issue solved after adding xpack.security.transport.ssl.certificate_authorities into elasticsearch.yaml

1 Like

Glad you figured it out.

You won't need Curator to use SSL unless you also set xpack.security.http.*.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.