Curator using ssl to connect to Elasticsearch though use_ssl is false

Sandeep_Gupta · October 4, 2019, 12:49pm

I have elasticsearch configured without SSL. I am able to access it using curl http://localhost:9200/
Here are the versions
Elasticsearch: 6.2.2
Curator: 5.8.1
I have installed plugin repository-s3
I am trying to take snapshot of ES to S3 using below command.

curator --config curator.yml backup_action.yml

Here is my curator.yml

client:
  hosts:
    - localhost
  port: 9200
  url_prefix:
  use_ssl: False
  certificate:
  client_cert:
  client_key:
  aws_key: 
  aws_secret_key: 
  aws_region: ca-central-1
  ssl_no_validate: False
  http_auth:
  timeout: 300
  master_only: False

logging:
  loglevel: DEBUG
  logfile:
  logformat: default
#  blacklist: ['elasticsearch', 'urllib3']
  blacklist: []

Here is my action file

actions:
  1:
    action: snapshot
    description: Backing up indices older than 30 days.
    options:
      repository: s3-backup
      name: stage-elk-%Y%m%d%H%M%S
      ignore_unavailable: False
      include_global_state: True
      partial: False
      wait_for_completion: True
      skip_repo_fs_check: False
      timeout_override:
      continue_if_exception: True
      disable_action: False
    filters:
    -  filtertype: age
       source: name
       direction: older
       unit: days
       unit_count: 30
       timestring: "%Y%m%d%H%M%S"

Here is the error I am getting

2019-10-04 11:45:21,638 DEBUG              elasticsearch       log_request_fail:160  > None
2019-10-04 11:45:21,639 DEBUG     urllib3.connectionpool              _new_conn:813  Starting new HTTPS connection (4): localhost:9200
2019-10-04 11:45:21,646 WARNING            elasticsearch       log_request_fail:149  GET https://localhost:9200/ [status:N/A request:0.008s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_requests.py", line 124, in perform_request
    response = self.session.send(prepared_request, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
SSLError: HTTPSConnectionPool(host='localhost', port=9200): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_record', 'wrong version number')],)",),))
2019-10-04 11:45:21,647 DEBUG              elasticsearch       log_request_fail:160  > None
2019-10-04 11:45:21,647 ERROR              curator.utils             get_client:915  HTTP N/A error: HTTPSConnectionPool(host='localhost', port=9200): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_record', 'wrong version number')],)",),))
2019-10-04 11:45:21,647 CRITICAL           curator.utils             get_client:923  Curator cannot proceed. Exiting.

Please note that I have mentioned use_ssl to false still in the log I can see that it is starting HTTPS connection

2019-10-04 11:45:21,639 DEBUG     urllib3.connectionpool              _new_conn:813  Starting new HTTPS connection (4): localhost:9200
2019-10-04 11:45:21,646 WARNING            elasticsearch       log_request_fail:149  GET https://localhost:9200/ [status:N/A request:0.008s]

Please help.

theuntergeek · October 4, 2019, 3:17pm

I see:

aws_region: ca-central-1

…but nothing else there for AWS usage. I believe that you are getting the SSL flag because AWS connectivity requires it. Though you haven't defined the rest of the AWS settings—perhaps you've removed them to not reveal them here?—Curator will override use_ssl to True if you have AWS credentials here, which may be why you're seeing the SSL request to localhost: https://localhost:9200/. I suggest this because all of the continuous integration tests are against a non-SSL connection, otherwise I expect they would encounter this problem as well.

Using S3 for snapshots does not require Curator to also have AWS IAM credentials. Those are configured as part of the repository creation. I repeat: Curator does not need AWS IAM credentials to perform an S3 snapshot. Curator makes an API call to Elasticsearch to perform a snapshot, and then Elasticsearch uses the IAM credentials it received to connect to the S3 repository.

Also, you're using Python 2.7, which I actively discourage, as Python 2.7 is EOL at the end of 2019. Future versions of Curator will require Python 3.6 or higher.

Sandeep_Gupta · October 4, 2019, 4:49pm

Thank you very much. it worked when I removed AWS settings.

system · November 1, 2019, 4:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.