Difficulty Making a REST API Call to ElasticSearch

Elastic Stack Elasticsearch
,
1

Hello, I'm currently trying to follow the steps for installing Elasticsearch with Docker Install Elasticsearch with Docker | Elasticsearch Guide [8.11] | Elastic and I'm struggling with making a REST API call to Elasticsearch. I'm on Windows and I've followed all steps exactly, but I'm stuck at this command:

curl --cacert http_ca.crt -u elastic:$ELASTIC_PASSWORD https://localhost:9200

I've copied the http_ca.crt SSL certificate to my local machine, but when I run the curl command above, I get the following error:

C:\Users\conno>curl --cacert http_ca.crt -u elastic:$ELASTIC_PASSWORD https://localhost:9200
curl: (60) schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN
More details here: curl - SSL CA Certificates
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I've also tried installing this SSL certificate in my Trusted Root Certification Authorities store, but this hasn't resolved the problem. Does anyone know how to resolve this issue?

2

Hi @Conrad414 Welcome to the community

Add -v to your curl command you will get more detail.

Also try full path to the CA cer
And are the permissions correctly?
What OS are you using the curl on?

try

curl -k -v --cacert C:\Users\conno\http_ca.crt -u elastic:$ELASTIC_PASSWORD https://localhost:9200

If this is a corp windows box, there may be some strict SSL cert policies

3

This is the output after running curl with -k and -v:

C:\Users\conno>curl -k -v --cacert http_ca.crt -u elastic:%ELASTIC_PASSWORD% [https://localhost:9200](https://localhost:9200/)

* Trying 127.0.0.1:9200...
* Connected to localhost (127.0.0.1) port 9200 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
* using HTTP/1.x
* Server auth using Basic with user 'elastic'

> GET / HTTP/1.1
> Host: localhost:9200
> Authorization: Basic ZWxhc3RpYzpEZjRhMllKTzM5X0swSHFzSEdCSA==
> User-Agent: curl/8.0.1
> Accept: */*

* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 200 OK
< X-elastic-product: Elasticsearch
< content-type: application/json
< content-length: 539
<
{
"name" : "3bff5d8f3dfa",
"cluster_name" : "docker-cluster",
"cluster_uuid" : "9P9DuSXvSZK--JaIW4EDIw",
"version" : {
"number" : "8.9.1",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "a813d015ef1826148d9d389bd1c0d781c6e349f0",
"build_date" : "2023-08-10T05:02:32.517455352Z",
"build_snapshot" : false,
"lucene_version" : "9.7.0",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "You Know, for Search"
}
* Connection #0 to host localhost left intact

Also I'm running this on Windows 11 Home on the Command Line, and this is my personal laptop.

4

and here is from the command without -k

C:\Users\conno>curl -v --cacert C:\Users\conno\http_ca.crt -u elastic:$ELASTIC_PASSWORD https://localhost:9200

Trying 127.0.0.1:9200...
Connected to localhost (127.0.0.1) port 9200 (#0)
schannel: disabled automatic use of client certificate
ALPN: offers http/1.1
schannel: added 1 certificate(s) from CA file 'C:\Users\conno\http_ca.crt'
schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN
Closing connection 0
schannel: shutting down SSL/TLS connection with localhost port 9200
curl: (60) schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN
More details here: curl - SSL CA Certificates 1
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

And Ok so now it works with -k

I can not comment too much about Windows certs etc. but the command with -k (which means do not validate the CA) shows that everything is working BUT the cert / CA is not being validated honored.

You will need to read about Windows Certs and that Article that was linked. Basically your laptop does not want to honor self signed certs / CAs

Also please learn how to format your code look / edit your last post you will see I added 3 Back tics before and after your code, that will properly format it

From the link given here perhaps try

If you are using the curl command line tool, you can specify your own CA cert file by setting the environment variable CURL_CA_BUNDLE to the path of your choice.If you are using the curl command line tool on Windows, curl will search for a CA cert file named "curl-ca-bundle.crt" in these directories and in this order:

  1. application's directory
  2. current working directory
  3. Windows System directory (e.g. C:\windows\system32)
  4. Windows Directory (e.g. C:\windows)
  5. all directories along %PATH%
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.