Elasticsearch Java REST clients


(John Mc Afee) #1

Hello,

I am using Elasticsearch 6.2.2 and am attempting to create a connection to my ES server using the Java Rest Clients. Here is the code I am using for the connection:

credentialsProvider.setCredentials(AuthScope.ANY,
new UsernamePasswordCredentials("username", "password"));

RestHighLevelClient client = new RestHighLevelClient(
RestClient.builder(new HttpHost("server-name", 9200, "https"))
.setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback()
{
@Override
public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
return httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider);
}
}));
when executed, I get the following error:
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker$1.run(Unknown Source)
at sun.security.ssl.Handshaker$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:281)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:339)
... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 18 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)

It looks like it is looking for the trustStore/keystore. Not sure why I need to provide that for Basic Auth. With the regular Java Client and XPack installed, it was necessary to use the PreBuiltXPack.... client instead of the regular client. Does the REST client require such a change, or am I just missing something?

Thanks a bunch!


(Tim Vernum) #2

It looks like it is looking for the trustStore/keystore. Not sure why I need to provide that for Basic Auth.

This is not trying to use TLS/Keys for authentication, the problem is that the rest client doesn't trust the certificate that your Elasticsearch node is providing.

You can use TLS for authentication (PKI), but that's a separate issue.

Your Elasticsearch cluster is using certificates that are signed by a CA that your client JVM doesn't trust. The 3 likely causes are:

  • You generated a custom CA for your cluster
  • You are using a corporate CA for your cluster, but your client JVM doesn't trust that cert
  • You are using a public CA, but your client JVM doesn't have a complete set of up-to-date CA certs. This is quite common when using OpenJDK builds.

This doc provides some guidance on configuring a truststore in your client. The exact steps you need will depend on how you've configured SSL for http on your ES nodes.


(John Mc Afee) #3

Tim,

Thanks for the reply! I will get with our admins and try to sort this out.

Much appreciated!

John


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.