Elastic Search Connector Fails on ca_certs config when running in Docker

Rather than retype the entire issue, the following topic is exactly what I am running into with no resolution. I have tried everything with no luck! Can someone PLEASE respond with something that has worked for them? Thanks!

Hi Matt, can you share this portion of your config (ca_certs)? Are you running on unix?

This is the relevant line in the config. I am running on WSL2 Ubuntu on Windows but the result is the same whether I run it through WSL2 or Powershell.

elasticsearch.ca_certs: "/home/myuser/Sandbox/http_ca.crt"

Can you try putting the certificate into the same folder where your connectors repository is pulled into and use elasticsearch.ca_certs: "./<your_cert_file>"?

Thanks for the suggestion. I've actually tried that exact thing with the same result. The path was as you suggested "./http_ca.crt"

Hmm, it's weird. I'm not sure how Windows Unix Subsystem functions. I would suggest in this case additionally checking file permissions of the file and the fact that the user that is running connectors is actually able to reach the file.

I checked in on EC2 instance and local MacOS machine and using elasticsearch.ca_certs: "./<your_cert_file>" worked for me.

Cert permissions were -rw-r--r--

Yeah, I even gave the cert file 777 permissions just to take that out of the equation. It seems like quite a few people have this issue though based on my searches.

Since I cannot reproduce it locally I might need your help to debug this.

The code that raises it is here.

You can edit this file in your local deployment, it should be inside the connectors directory (for me it's in lib/python3.10/site-packages/elastic_transport/_node/_http_aiohttp.py). You can just add a print(ca_certs) on line 102 and see what's inside the variable.

If it's a valid path, you can try just using python and experimenting a bit by running bin/python and doing exactly what elastic_transport is doing:

print(os.path.isfile(ca_certs))

This should give good hints on how to proceed with this problem.

I actually thought about doing that but I’m using the dockerized version of the connector so don’t have access to the source. This is through the config.yml that gets copied into the docker container on run.

I tried to go the route of building from source but was having issues with the make install command. I was using python3.12 and it didn’t seem to like that version.

You should still be able to do this in the dockerized version of the connector connecting to it via docker exec -u root -it $CONTAINER_ID /bin/sh.

Just to double check, how do you copy the certs into the docker image?

Well, when I have the http_ca.crt file inside the same directory as the virtual environment volume and use the path "./http_ca.crt" as the value of the elasticsearch.ca_certs element, I guess I figured it would have access to it without an explicit need to copy it in. Maybe that's my misunderstanding. This is the docker command I am using to run the container:

docker run -v "/home/mytest/Sandbox/connectors:/config" --rm --tty -i --network "elastic" docker.elastic.co/enterprise-search/elastic-connectors:8.13.3.0 /app/bin/elastic-ingest -c /config/config.yml

I tried it out with docker and it worked well for me - I had to put ca_cert: "/config/http_ca.crt" when certificate was put into the same folder that is mounted as :/config.

In your case you would need certificate in /home/mytest/Sandbox/connectors directory and put ca_cert: "/config/http_ca.crt" into your config file.

Well, it won’t let me reply with my other fix but what you described was part of the problem. There was another with the ip address but I solved that. Thanks for the help!

1 Like

Do you mind sharing what was the other problem and how you fixed it, so that we could update connectors documentation accordingly?