Is there any way to disable SSL certificate validation for emails sent through Watcher?
I'm having trouble integrating with an SMTP server even after adding the certificate and CA certificate to the truststore.
At least for a test, if I can do something like setting
mail.smtp.ssl.trust=mysmtpserver.com
I can confirm connectivity. Is there any way to pass this property or anything along those lines?
Hi Horaci,
Unfortunately this is not currently possible via Elasticsearch's configuration. We're tracking progress for this feature request in this issue
For the time being, the only workaround is to add the CA certificate that has signed your SMTP server's certificate to the trusted CAs of the JVM that Elasticsearch runs in.
thanks Ioannis for the quick reply.
private static final Setting.AffixSetting<String> SETTING_SMTP_SSL_TRUST_ADDRESS =
Setting.affixKeySetting("xpack.notification.email.account.", "smtp.ssl.trust",
(key) -> Setting.simpleString(key, Property.Dynamic, Property.NodeScope));
and was hoping this would be a potential approach. Are you saying nobody is actually reading that setting when sending the email out?
thanks,
H
Looks like this change was introduced again ( I was not aware, sorry ), but we're missing the documentation for it and there is an open issue to address the lack of documentation
Did you actually try it?
thanks. yes, I tried it but it didn't work; I got the following exception:
[2018-10-02T15:27:19,905][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [
ode_name][] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: unknown setting [mail.smtp.ssl.trust] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:140) ~[elasticsearch-6.4.0.jar:6.4.0]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:127) ~[elasticsearch-6.4.0.jar:6.4.0]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.4.0.jar:6.4.0]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.4.0.jar:6.4.0]
at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.4.0.jar:6.4.0]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.4.0.jar:6.4.0]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:86) ~[elasticsearch-6.4.0.jar:6.4.0]
Caused by: java.lang.IllegalArgumentException: unknown setting [mail.smtp.ssl.trust] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:393) ~[elasticsearch-6.4.0.jar:6.4.0]
at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:339) ~[elasticsearch-6.4.0.jar:6.4.0]
at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:311) ~[elasticsearch-6.4.0.jar:6.4.0]
at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:282) ~[elasticsearch-6.4.0.jar:6.4.0]
at org.elasticsearch.common.settings.SettingsModule.<init>(SettingsModule.java:135) ~[elasticsearch-6.4.0.jar:6.4.0]
at org.elasticsearch.node.Node.<init>(Node.java:343) ~[elasticsearch-6.4.0.jar:6.4.0]
at org.elasticsearch.node.Node.<init>(Node.java:256) ~[elasticsearch-6.4.0.jar:6.4.0]
at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.4.0.jar:6.4.0]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.4.0.jar:6.4.0]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.4.0.jar:6.4.0]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.4.0.jar:6.4.0]
however I'm still testing as on another environment the same setup (I'm using the same docker image) doesn't seem to complain about such an invalid config (trouble is on this other environment I don't have access to the smtp server causing me trouble).
Is there any setting to disable elasticsearch configuration validation so I can test on the environment with access to the smtp server using the invalid certificate?
can you think of any reason why apparently the same setup would throw such exception on one environment and not the other?
thanks again,
H
The config option reintroduced in 6.3.2 should be:
xpack.notification.email.account.smtp.ssl.trust
in the same manner as you'd set any other watcher email notification settings.
No, not really.
No, again, not really. I'd check if the config keys are the same and if the extra config key is indeed added to the configuration file. Are both environments using the same Elasticsearch version?
thanks Ioannis, I have a bit more information now.
The difference between the working/failing environment was not the elasticsearch.yml file but an environment property.
As soon as I have an environment property with name "mail.smtp.ssl.trust", elastic won't start.
At least now I have elastic up and running again. Sorry for the confusion before.
Regarding the config option reintroduced, can you please clarify where should this be setup?
At the email account level in elasticsearch.yml?
Would this be the correct way? I'm using environment properties for all values.
xpack.notification.email.account:
myaccount:
email_defaults:
from: ${ES_FROM_EMAIL}
smtp:
auth: ${ES_SMTP_AUTH}
starttls.enable: ${ES_SMTP_STARTTLSENABLE}
starttls.required: ${ES_SMTP_STARTTLSREQUIRED}
host: ${ES_SMTP_HOST}
port: ${ES_SMTP_PORT}
user: ${ES_SMTP_USER}
ssl.trust: ${ES_SMTP_HOST}
password: ${ES_SMTP_PASSWORD}
thanks,
H
answering my own question, I can confirm the format above works for me and I was able to successfully get an email sent through that smtp server.
thanks again Ioannis for your support!
You're most welcome. FYI, I opened https://github.com/elastic/elasticsearch/pull/34275 to fix the missing documentation
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.