curl --cacert certs/ca/ca.crt -u elastic:"xyz" 'url'
iam getting the below error while trying to execute the above curl command
curl: (60) SSL certificate problem: self signed certificate in certificate chain
but the curl command does give an output with -k flag
even if i try to access elastics serach from browser ip:
iam getting an empty reply from server error
can anyone please help
Add the -v switch with your curl it will a provide more debugging information.
What version of Elastic and what OS are you on?
Assume your are using https had to tell when you don't share
hi stephenb,
yes iam using https , Elastic version 8.11.1 and it is linux OS
i have deployed it in a kubernetes cluster as a pod both Elasticsearch and kibana
when i try with the -v switch iam getting this
method= https
ip:10.233.29.65
* Rebuilt URL to: method://ip:9200/
* Uses proxy env variable no_proxy == '127.0.0.1,localhost,169.254.169.254'
* Trying 10.233.29.65...
* TCP_NODELAY set
* Connected to 10.233.29.65 (10.233.29.65) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: certs/instance/instance.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate in certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
iam also getting an empty server response when i try it from the browse
@Dasara_Saarthak forgot to say welcome to the community
Try using the full path to the CA cert not relative in the curl also make sure the file has correct/ read permission.
Plus please always show the command + the entire result otherwise it is only half the information.
certs/instance/instance.crt
That does not look like the CA
Also looks like perhaps you have a proxy involve
Thanks for welcoming me @stephenb ,
below is the full command i've used ,the instance.crt i have included it here by mistake
the original command i've used is
method=https
[root@sindhuoneexternalelastic-k8sc-node1-1 ~]# curl -v --cacert ~/certs/ca/ca.crt --key certs/ca/ca.key -u elastic:"password" 'method:ip:9200'
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it.
i have no proxy enabled but still i've delete the no_proxy env variable also which was there in my previous reply
i have also provide the entire path this time
As I suggested please try full path not relative also did you check permissions on that file
chmod 644 ca.crt
Are you running that command from the command line or inside something like postman?
Also, can you run the -v -k on the same command sometimes we get more information that way it will go through and will still get more verbose information.
Try the full path not relative
iam executing it from command line and if i do it from browser i get empty response error
this is what i got with using -v -k flags in curl
[root@sindhuoneexternalelastic-k8sc-node1-1 ~]# curl -v -k --cacert /root/certs/ca/ca.crt --key /root/certs/ca/ca.key -u elastic:"password" 'method://ip:9200'
GET / HTTP/1.1
Host: 10.233.29.65:9200
Authorization: Basic ZWxhc3RpYzpuSjNVdWFFOHAyWjFRSTNVb2xVRA==
User-Agent: curl/7.61.1
Accept: /
Is the server also sending the root CA in the reply? This is by definition self-signed. It only needs to send the server cert. You might get an error 20 as it might not be trusted.
Can you show exactly how you created the elasticsearch, certificates and your elasticsearch.yml
i have pulled the docker image and deployed it as a pod using following yaml file
deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: elasticsearch
spec:
replicas: 1
selector:
matchLabels:
app: elasticsearch
template:
metadata:
labels:
app: elasticsearch
spec:
securityContext:
runAsUser: 1000
containers:
- name: nspos-elasticsearch
image: docker.elastic.co/elasticsearch/elasticsearch:8.11.1
ports:
- containerPort: 9200
resources:
requests:
cpu: 100m
memory: 1Gi
limits:
cpu: 12
apiVersion: v1
kind: Service
metadata:
name: elasticsearch-service
spec:
selector:
app: elasticsearch
ports:
after it got deployed i execed into the pod and used the
./elasticsearch-certutil ca --pem to generate ca.crt and ca.key
then used
./elasticsearch-certutil cert --ca-cert ca.crt --ca-ke ca.key --pem
to generate the cert and get i signed by ca
this generated instance.crt and instance.key
now i edited the yaml file include them, this is my elasticsearch.yml file in /usr/share/elasticsearch/config/
cluster.name: "docker-cluster"
network.host: 0.0.0.0
#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
xpack.security.enabled: false
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
certificate: /usr/share/elasticsearch/config/certs/all-certs/instance/instance.crt
key: /usr/share/elasticsearch/config/certs/all-certs/instance/instance.key
certificate_authorities: /usr/share/elasticsearch/config/certs/all-certs/ca/ca.crt
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
To me it looks like you are not generating the http certs correctly you are using cert mode you should be using http mode
See here for http mode
You can follow the directions
ok but the file already there in the /usr/share/elasticsearch/config/certs/http_ca.crt should work if i give this command right?
curl -v --cacert http_ca.crt -u elastic:a_fmYLwO5dPe-mTYwAgq method://ip:port
My point is that is the wrong command .. it does not generate the correct http certs and then you are using them in the elasticsearch config... So the HTTP endpoint is not using the correct type of cert.
So the correct cert is never presented via http endpoint
hi stephen b i am using elasticsearch helm chart and raised a separate ticket regarding the certificate issue can we move our discussion there?
I do not know how to merge the topics... I would just link to the or just copy the relevant information.
Also did you understand my previous post? you are not running the correct command to create the http certs
yes i did understand your previous comment
in order to run the command i should restart elasticsearch right so in pure docker based deployment if i do that the entire changes are lost so i moved to helm based installation
we can just link to the other ticket and discuss there
You can do that... I do not know what other Topic you are talking about. You can just paste a link here yourself... we are not so formal... this is just a community forum 
Actually, that is not correct with mounted volumes data can be persisted...
Did you look at:
Start a multi-node cluster with Docker Compose
It does everything sets up everything...
Also if you are going to use K8s,, I would use the ECK Operator and look at this repo
Honestly I think you should get all your information / questions together and open a new Topic... With a good Subject..
This topic is Old, Only Talks to Curl and probably no one is going to look at it except me.
it all depends on what you are actually trying to accomplish... which is unclear to me...
That is just my suggestion.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.