Disabling certificate verification for watcher emails?


(Horaci Macias) #1

Is there any way to disable SSL certificate validation for emails sent through Watcher?

I'm having trouble integrating with an SMTP server even after adding the certificate and CA certificate to the truststore.
At least for a test, if I can do something like setting


I can confirm connectivity. Is there any way to pass this property or anything along those lines?

(Ioannis Kakavas) #2

Hi Horaci,

Unfortunately this is not currently possible via Elasticsearch's configuration. We're tracking progress for this feature request in this issue

For the time being, the only workaround is to add the CA certificate that has signed your SMTP server's certificate to the trusted CAs of the JVM that Elasticsearch runs in.

(Horaci Macias) #3

thanks Ioannis for the quick reply.

Looking at https://github.com/elastic/elasticsearch/blob/1f72afa77314d27208e710398f65f701c865ea1f/x-pack/plugin/watcher/src/main/java/org/elasticsearch/xpack/watcher/notification/email/EmailService.java I noticed

    private static final Setting.AffixSetting<String> SETTING_SMTP_SSL_TRUST_ADDRESS =
            Setting.affixKeySetting("xpack.notification.email.account.", "smtp.ssl.trust",
                    (key) -> Setting.simpleString(key, Property.Dynamic, Property.NodeScope));

and was hoping this would be a potential approach. Are you saying nobody is actually reading that setting when sending the email out?



(Ioannis Kakavas) #4

Looks like this change was introduced again ( I was not aware, sorry ), but we're missing the documentation for it and there is an open issue to address the lack of documentation

Did you actually try it?

(Horaci Macias) #5

thanks. yes, I tried it but it didn't work; I got the following exception:

[2018-10-02T15:27:19,905][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [
ode_name][]  uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: unknown setting [mail.smtp.ssl.trust] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:140) ~[elasticsearch-6.4.0.jar:6.4.0]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:127) ~[elasticsearch-6.4.0.jar:6.4.0]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.4.0.jar:6.4.0]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.4.0.jar:6.4.0]
        at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.4.0.jar:6.4.0]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.4.0.jar:6.4.0]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:86) ~[elasticsearch-6.4.0.jar:6.4.0]
Caused by: java.lang.IllegalArgumentException: unknown setting [mail.smtp.ssl.trust] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
        at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:393) ~[elasticsearch-6.4.0.jar:6.4.0]
        at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:339) ~[elasticsearch-6.4.0.jar:6.4.0]
        at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:311) ~[elasticsearch-6.4.0.jar:6.4.0]
        at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:282) ~[elasticsearch-6.4.0.jar:6.4.0]
        at org.elasticsearch.common.settings.SettingsModule.<init>(SettingsModule.java:135) ~[elasticsearch-6.4.0.jar:6.4.0]
        at org.elasticsearch.node.Node.<init>(Node.java:343) ~[elasticsearch-6.4.0.jar:6.4.0]
        at org.elasticsearch.node.Node.<init>(Node.java:256) ~[elasticsearch-6.4.0.jar:6.4.0]
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.4.0.jar:6.4.0]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.4.0.jar:6.4.0]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.4.0.jar:6.4.0]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.4.0.jar:6.4.0]

however I'm still testing as on another environment the same setup (I'm using the same docker image) doesn't seem to complain about such an invalid config (trouble is on this other environment I don't have access to the smtp server causing me trouble).

Is there any setting to disable elasticsearch configuration validation so I can test on the environment with access to the smtp server using the invalid certificate?
can you think of any reason why apparently the same setup would throw such exception on one environment and not the other?

thanks again,


(Ioannis Kakavas) #6

The config option reintroduced in 6.3.2 should be:


in the same manner as you'd set any other watcher email notification settings.

No, not really.

No, again, not really. I'd check if the config keys are the same and if the extra config key is indeed added to the configuration file. Are both environments using the same Elasticsearch version?

(Horaci Macias) #7

thanks Ioannis, I have a bit more information now.

The difference between the working/failing environment was not the elasticsearch.yml file but an environment property.
As soon as I have an environment property with name "mail.smtp.ssl.trust", elastic won't start.
At least now I have elastic up and running again. Sorry for the confusion before.

Regarding the config option reintroduced, can you please clarify where should this be setup?
At the email account level in elasticsearch.yml?
Would this be the correct way? I'm using environment properties for all values.

            from: ${ES_FROM_EMAIL}
          auth: ${ES_SMTP_AUTH}
          starttls.enable: ${ES_SMTP_STARTTLSENABLE}
          starttls.required: ${ES_SMTP_STARTTLSREQUIRED}
          host: ${ES_SMTP_HOST}
          port: ${ES_SMTP_PORT}
          user: ${ES_SMTP_USER}
          ssl.trust: ${ES_SMTP_HOST}
          password: ${ES_SMTP_PASSWORD}



(Horaci Macias) #8

answering my own question, I can confirm the format above works for me and I was able to successfully get an email sent through that smtp server.

thanks again Ioannis for your support!

(Ioannis Kakavas) #9

You're most welcome. FYI, I opened https://github.com/elastic/elasticsearch/pull/34275 to fix the missing documentation

(system) #10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.