Hi,
On my local ubuntu machine, I am running elasticsearch via docker container:
docker run --name es01 --net elastic -p 9200:9200 -it -m 1GB \
-e "discovery.type=single-node" \
-e "network.host=0.0.0.0" \
docker.elastic.co/elasticsearch/elasticsearch:8.17.2
On the other side, I am running 3 docker containers via docker compose where they are running APIs.
One of the container should access to elasticsearch. Everything is working well with cert_verifs=False. However, with cert_verifs=True and using the default http_ca.crt
, I got an error that the certificate is not validate for es01 which makes sense as it validate only for localhost if I understand correctly. I try to create a new certificate and adding the es01 to the dns list using these commands:
elasticsearch-certutil ca --pem --out elastic-stack-ca.zip
elasticsearch-certutil cert --name es01 \
--dns es01 --dns host.docker.internal \
--ip 127.0.0.1 \
--ca-cert path/to/ca/ca.crt \
--ca-key path/to/ca/ca.key \
--pem --out es01-cert.zip
I use ca.crt as the certificate and copy it into the docker container that run the API. I added it as well in the ca-certificates
by adding this line in the docker file:
COPY ca.crt /usr/local/share/ca-certificates/ca.crt
RUN update-ca-certificates
However, I still get the famous error:
elastic_transport.TlsError: TLS error caused by: SSLError([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain