[Elasticsearch 8.3] Problem with the SSL encryption in the master node

Hello ,

I'm trying to configure a cluster of 3 nodes with SSL enabled, I first created the master node, then I managed to add the other 2 nodes with the enrollment token.

The issue is when I try to query the master node with the following command:

curl -XGET https://10.0.2.198:9200/_cluster/health?pretty

I receive the following error:


curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

and for a successful response, I would need to add the -k to make an unsecured request and add the username and password.

 curl -k -XGET https://10.0.2.198:9200/_cluster/health?pretty -u elastic
{
  "cluster_name" : "my-application",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 3,
  "number_of_data_nodes" : 3,
  "active_primary_shards" : 15,
  "active_shards" : 30,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

When I attempt to access this node from the browser, I receive this error:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "missing authentication credentials for REST request [/_cluster/state?pretty]",
        "header" : {
          "WWW-Authenticate" : [
            "Basic realm=\"security\" charset=\"UTF-8\"",
            "Bearer realm=\"security\"",
            "ApiKey"
          ]
        }
      }
    ],
    "type" : "security_exception",
    "reason" : "missing authentication credentials for REST request [/_cluster/state?pretty]",
    "header" : {
      "WWW-Authenticate" : [
        "Basic realm=\"security\" charset=\"UTF-8\"",
        "Bearer realm=\"security\"",
        "ApiKey"
      ]
    }
  },
  "status" : 401
}

Can Someone enlighten me on this point, on what I'm missing and on how to solve this issue?

I think that has something to do with the self-issued certificate.

My Elasticseach version is 8.3

Cordially,

If someone could help , I will appreciate it

You can tell curl where to find the HTTP CA file so it can perform the certificate verification properly. The HTTP CA file is located under the config directory (PATH_TO/config/certs/http_ca.crt). So you can issue the curl command with something like:

curl --cacert PATH_TO/config/certs/http_ca.crt -u elastic https://10.0.2.198:9200/_cluster/health?pretty

When I attempt to access this node from the browser, I receive this error:

The error is 401 which means you did not provide a valid credential for authentication. This has nothing to do with certificate verification which comes before authentication. Since you have reached authentication (albeit failed), it means you have passed the certificate verification (perhaps you have instructed the browser to trust the connection).

2 Likes

Thank you so much Mr. Yang !