GCP Repo giving certificate error

Jonathan_Tan · December 17, 2018, 11:51am

Hi,

I'm trying to install the gcp plugin as described here: https://www.elastic.co/guide/en/elasticsearch/plugins/6.3/repository-gcs.html

I'm also running this in Kubernetes, and am running a custom docker image so that I can preinstall the GCP plugin and to load the credentials file.

The container starts up happily, but when I try to actually execute a snapshot using:

PUT /_snapshot/my_gcs_repo, with a body of:

{
  "type": "gcs",
  "settings": {
    "bucket": "es-metrics",
    "base_path": "dev"
  }
}

I get a bunch of SSL error messages, mostly around an ssl handshake exception, with the message of java.security.cert.CertificateException: No subject alternative DNS name matching oauth2.googleapis.com found.

I get that it's related to the application not being able to find an appropriately configured cert, but... how do I fix it?

Thanks!

ElasticSearch v6.3.2
No x-pack
Running in GCP Kubernetes

Snippet of the stack trace below:

[2018-12-17T11:32:17,120][WARN ][o.e.r.RepositoriesService] [JXtjUCp] failed to create repository [gcs][my_gcs_repository]
org.elasticsearch.common.blobstore.BlobStoreException: Unable to check if bucket [es-metrics] exists
	at org.elasticsearch.repositories.gcs.GoogleCloudStorageBlobStore.doesBucketExist(GoogleCloudStorageBlobStore.java:118) ~[?:?]
	at org.elasticsearch.repositories.gcs.GoogleCloudStorageBlobStore.<init>(GoogleCloudStorageBlobStore.java:75) ~[?:?]
	at org.elasticsearch.repositories.gcs.GoogleCloudStorageRepository.<init>(GoogleCloudStorageRepository.java:137) ~[?:?]
	at org.elasticsearch.repositories.gcs.GoogleCloudStoragePlugin.lambda$getRepositories$1(GoogleCloudStoragePlugin.java:129) ~[?:?]
	at org.elasticsearch.repositories.RepositoriesService.createRepository(RepositoriesService.java:383) [elasticsearch-6.3.2.jar:6.3.2]
	at org.elasticsearch.repositories.RepositoriesService.registerRepository(RepositoriesService.java:356) [elasticsearch-6.3.2.jar:6.3.2]
	at org.elasticsearch.repositories.RepositoriesService.access$100(RepositoriesService.java:55) [elasticsearch-6.3.2.jar:6.3.2]
	at org.elasticsearch.repositories.RepositoriesService$1.execute(RepositoriesService.java:108) [elasticsearch-6.3.2.jar:6.3.2]


Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching oauth2.googleapis.com found.
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:198) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974) ~[?:?]
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:345) ~[?:?]
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:339) ~[?:?]
	at sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1968) ~[?:?]
	at sun.security.ssl.ClientHandshaker.certificateStatus(ClientHandshaker.java:1798) ~[?:?]
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:276) ~[?:?]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098) ~[?:?]
	at sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1429) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:?]
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567) ~[?:?]
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[?:?]
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1356) ~[?:?]
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1331) ~[?:?]
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:241) ~[?:?]
	at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:77) ~[?:?]
	at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:981) ~[?:?]
	at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:283) ~[?:?]
	at com.google.api.client.auth.oauth2.TokenRequest.execute(TokenRequest.java:307) ~[?:?]
	at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.executeRefreshToken(GoogleCredential.java:394) ~[?:?]
	at com.google.api.client.auth.oauth2.Credential.refreshToken(Credential.java:489) ~[?:?]
	at com.google.api.client.auth.oauth2.Credential.intercept(Credential.java:217) ~[?:?]
	at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:868) ~[?:?]
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:419) ~[?:?]
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:352) ~[?:?]
	... 20 more

system · January 14, 2019, 11:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.