GeoIP processor/ geoip database update certificate issue

Hi, I am trying to get the GeoIP processor working with a custom endpoint. I have added the configuration to the nodes but now I see that elasticsearch has issues with the chain certification path: “exception during geoip database update. PKIX path building failed … unable to find valid certification path to requested target”.

I know I have to add a certificate to the truststore but that is as far as I get. What is the exact certificate I need to add? The geoip service certificate? The ca that signed the certificate? Is it the xpack.security.transport.ssl.trustore truststore or something else? Does the alias matter? Do I need to restart elasticsearch or does the SSLConfigurationReloader pick up the changes (the logs say updated 1 ssl contexts in … for prefix names [ ] using file …).

Currently my truststore has two entries “ca, trustedCertEntry” witch is the corporate sub ca used to sign the node transport certificate and “,PrivateKeyEntry” which is the node certificate combined with the private key. I also tried to add the corporate root ca and the geoip service certificate with aliases “root” and “geosrv” but this did not fix the issue. The geoip service certificate is a wildcard certificate signed by the same sub ca as the node certificate, so it already exists in the truststore with alias “ca”. The sub ca (alias “ca”) is signed by the root ca (alias “root”). The truststore is in jks format.

What am I missing here? Surely someone has gotten the geoip custom endpoint working with external certs. Thank You all in advance!

While strugling with this I found this useful snippet Trust custom CA when using a custom GeoIP endpoint - ingest.geoip.downloader.endpoint · Issue #117624 · elastic/elasticsearch · GitHub which brough all the pieces together.

When using the the ES bundled keytool the JDK cacerts file location is irrelevant and the command to add my_corp_root_ca.crt to the JDK cacerts was /usr/share/elasticsearch/jdk/bin/keytool -import -trustcacerts -cacerts -noprompt -alias mycorprootca -file /path/to/my_corp_root_ca.crt

2 Likes