ES Rest Client - trust all certificates

Hello!

For Dev-Ops testing we want to make a untrusted connection.
I found a self-side soulution here, but will be glad to avoid the key part.

RestClientBuilder restHttp;
// ....
restHttp.setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder
                .setDefaultCredentialsProvider(finalCredentialsProvider));
rhlClient = new RestHighLevelClient(restHttp);			

Can I trust all certificates?

Thanks!

?
thanks!

Please be patient in waiting for responses to your question and refrain from pinging multiple times asking for a response or opening multiple topics for the same question. This is a community forum, it may take time for someone to reply to your question. For more information please refer to the Community Code of Conduct specifically the section "Be patient". Also, please refrain from pinging folks directly, this is a forum and anyone that participates might be able to assist you.

If you are in need of a service with an SLA that covers response times for questions then you may want to consider talking to us about a subscription.

It's fine to answer on your own thread after 2 or 3 days (not including weekends) if you don't have an answer.

1 Like

TLS configuration is handled by an HttpClientConfigCallback object as we explain here: https://www.elastic.co/guide/en/elasticsearch/client/java-rest/master/_encrypted_communication.html

In short you need to create an SSLContext using a custom TrustManager that performs no check of the certificate.

WARNING: THIS IS UNTESTED AND EXTREMELY DANGEROUS TO USE

  1. Create a TrustManager like here: https://github.com/elastic/elasticsearch/blob/2efd22454a62e7387c51eb0cd973e5ff7a3fb09f/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/TrustAllConfig.java#L36

  2. Create an SSLContext like

SSLContext context = SSLContext.getInstance("TLS");
context.init(null, new TrustManager[]{trustAllTrustManager}, new SecureRandom());
  1. Pass that context to HttpAsyncClientBuilder as shown in the docs above

Thank you very much for your response and sorry on my badger..

I'll be glad to get some more help here (I'm really not familiar with certification, we know it's unrecommended to do, it's only temporarily solution for our devops)

I get all needed classes from the github and add a SSL Context:

SSLContext context = null;
if (esConnectionConfiguration.isTrustingAllCertificates()) {
	try {
		context = SSLContext.getInstance("TLS");
		context.init(null, new TrustManager[]{TrustAllConfig.TRUST_MANAGER}, new SecureRandom());
	} catch (NoSuchAlgorithmException | KeyManagementException e) {
		logger.warn(e.getMessage());
	}
}

RestClientBuilder restHttp =  RestClient.builder(new HttpHost(InetAddress.getByName(esConnectionConfiguration.getHost()),
                    esConnectionConfiguration.getPort(), esConnectionConfiguration.getScheme()));
					
CredentialsProvider finalCredentialsProvider = credentialsProvider;
SSLContext finalContext = context;
restHttp.setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder
		.setSSLContext(finalContext)
		.setDefaultCredentialsProvider(finalCredentialsProvider));

rhlClient = new RestHighLevelClient(restHttp);

rhlClient.info(RequestOptions.DEFAULT);

Running this code stuck the app forever, after force stop I get this long error:

Exception in thread "I/O dispatcher 13" java.lang.NoSuchMethodError: org.apache.commons.codec.binary.Base64.(I)V
at org.apache.http.impl.auth.BasicScheme.authenticate(BasicScheme.java:166)
at org.apache.http.impl.auth.HttpAuthenticator.doAuth(HttpAuthenticator.java:233)
at org.apache.http.impl.auth.HttpAuthenticator.generateAuthResponse(HttpAuthenticator.java:213)
at org.apache.http.impl.nio.client.MainClientExec.generateRequest(MainClientExec.java:224)
at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.generateRequest(DefaultClientExchangeHandlerImpl.java:134)
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.requestReady(HttpAsyncRequestExecutor.java:193)
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.connected(HttpAsyncRequestExecutor.java:134)
at org.apache.http.impl.nio.client.InternalIODispatch.onConnected(InternalIODispatch.java:63)
at org.apache.http.impl.nio.client.InternalIODispatch.onConnected(InternalIODispatch.java:39)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.connected(AbstractIODispatch.java:73)
at org.apache.http.impl.nio.reactor.BaseIOReactor.sessionCreated(BaseIOReactor.java:248)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processNewChannels(AbstractIOReactor.java:427)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:287)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)
at java.base/java.lang.Thread.run(Thread.java:835)
Jun 09, 2020 5:30:10 PM org.apache.http.impl.nio.client.InternalHttpAsyncClient run
SEVERE: I/O reactor terminated abnormally
org.apache.http.nio.reactor.IOReactorException: I/O dispatch worker terminated abnormally
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor.execute(AbstractMultiworkerIOReactor.java:359)
at org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager.execute(PoolingNHttpClientConnectionManager.java:221)
at org.apache.http.impl.nio.client.CloseableHttpAsyncClientBase$1.run(CloseableHttpAsyncClientBase.java:64)
at java.base/java.lang.Thread.run(Thread.java:835)
Caused by: java.lang.NoSuchMethodError: org.apache.commons.codec.binary.Base64.(I)V
at org.apache.http.impl.auth.BasicScheme.authenticate(BasicScheme.java:166)
at org.apache.http.impl.auth.HttpAuthenticator.doAuth(HttpAuthenticator.java:233)
at org.apache.http.impl.auth.HttpAuthenticator.generateAuthResponse(HttpAuthenticator.java:213)
at org.apache.http.impl.nio.client.MainClientExec.generateRequest(MainClientExec.java:224)
at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.generateRequest(DefaultClientExchangeHandlerImpl.java:134)
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.requestReady(HttpAsyncRequestExecutor.java:193)
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.connected(HttpAsyncRequestExecutor.java:134)
at org.apache.http.impl.nio.client.InternalIODispatch.onConnected(InternalIODispatch.java:63)
at org.apache.http.impl.nio.client.InternalIODispatch.onConnected(InternalIODispatch.java:39)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.connected(AbstractIODispatch.java:73)
at org.apache.http.impl.nio.reactor.BaseIOReactor.sessionCreated(BaseIOReactor.java:248)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processNewChannels(AbstractIOReactor.java:427)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:287)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)
... 1 more

I also tried to not set setDefaultCredentialsProvider but got Elasticsearch exception [type=security_exception, reason=missing authentication credentials for REST request [/]] error.

Thank you again!

  1. Please go through https://www.elastic.co/guide/en/elasticsearch/client/java-rest/master/java-rest-low-usage.html to see how to setup the rest client in general and make sure you have done all necessary actions.

  2. Don't use elasticsearch's TrustAllConfig.java , I shared this as an inspiration, you can do with something simpler, all you need is the TrustManager from there.

  3. When asking for feedback please share the entire section of the code at the minimum, or even better a complete reproducible example. We can't guess what credentialsProvider is above and how you create it. We have examples for authentication in https://www.elastic.co/guide/en/elasticsearch/client/java-rest/master/_basic_authentication.html

Thank you again! I'll try :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.