Elasticsearch connection issue

Buddha · April 20, 2023, 8:38pm

Hello,

A bit of a noob on certs stuff and I had a previous question where I think I was complicating things to solve a connection issue to my Elasticsearch deployment:

The following is an image and an error message:

Caught exception while preforming bulk operation to Elasticsearch: Elasticsearch.Net.ElasticsearchClientException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.. Call: Status code unknown from: POST /_bulk ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Right now, set up is simple:

I run the docker compose file as outlined here: Install Elasticsearch with Docker | Elasticsearch Guide [8.7] | Elastic
The application is on one server and the Elasticsearch deployment is on another server

I was wondering how people solved this issue with their deployment?

FYI: The servers will be not connected to the internet, so I could use http... maybe I could add say http.port into the ENV to connect via http?

Mike

dadoonet · April 20, 2023, 9:16pm

This is a self signed certificate which explains the behavior.
When using curl, you can disable this check using -k option but this is only intended for tests and not for production, where you need to provide a real ssl certificate.

Buddha · April 21, 2023, 1:46am

Hmm, bring a noob on these certificate matters, could you point me to any documentation of how to dockerize an Elasticsearch cluster using a real ssl certificate?

On the other hand, my deployment will never see the internet, is there anyway of using http?

Mike

dadoonet · April 21, 2023, 2:01am

Which client are you using to connect to Elasticsearch?

Buddha · April 21, 2023, 1:04pm

To connect with .net,

Elasticsearch.Net
Serilog.Sinks.Elasticsearch

To connect with python,

Elasticsearch

I could turn off verify SSL, but would like to know the right way if I do open things up to the internet and keep things safe.

Mike

dadoonet · April 21, 2023, 1:23pm

I think you could start from here: Manually configure security | Elasticsearch Guide [master] | Elastic

Buddha · April 22, 2023, 10:29am

I've read that I could add a self signed certificate in Ubuntu to make it a trusted entity. Based on this documentation: Installing a root CA certificate in the trust store | Ubuntu

I've copied all 4 .crt files found in the docker container folders:
/usr/local/share/ca-certificates/ca
/usr/local/share/ca-certificates/es01
/usr/local/share/ca-certificates/es02
/usr/local/share/ca-certificates/es03

to the host folder:
/usr/local/share/ca-certificates

then ran:
sudo update-ca-certificate

But that still gave me the same error. Maybe I'm not providing the right file? Wondering if anyone had any thoughts on this?

system · May 20, 2023, 10:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.