Getting ssl error while trying to create httpclient

I am getting the below error while trying to create new http client in 7.8.1 version. Please help.
code : RestHighLevelClient client = new RestHighLevelClient(RestClient. builder ( new HttpHost(getLocalHost(), getPort(), "http")));
Caused by: java.lang.IllegalStateException: could not create the default ssl context
at org.elasticsearch.client.RestClientBuilder.createHttpClient(RestClientBuilder.java:221)
at java.security.AccessController.doPrivileged(Native Method)
at org.elasticsearch.client.RestClientBuilder.build(RestClientBuilder.java:191)
at org.elasticsearch.client.RestHighLevelClient.(RestHighLevelClient.java:285)
at org.elasticsearch.client.RestHighLevelClient.(RestHighLevelClient.java:277)

You can try this:

final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
    credentialsProvider.setCredentials(
        AuthScope.ANY, new UsernamePasswordCredentials(username, password));
    RestClientBuilder restClientBuilder = RestClient
        .builder(new HttpHost(ip, port, "http"))
        .setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
          @Override
          public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpAsyncClientBuilder) {
            return httpAsyncClientBuilder.setDefaultCredentialsProvider(credentialsProvider);
          }
        });
    client = new RestHighLevelClient(restClientBuilder);

Thanks for the reply. We are replacing transportclient/ssl plugin with resthighlevelclient and planning to use stunnel. we don't use any username/password. Why is this required.

I saw ssl in your description,and I thought you configured ssl in your ES cluster and kibana

we had it configured but I have removed the ssl plugin and just using RestClient. Do you know from where is the http connection trigerring this SSL.

the RestClientBuilder createHttpClient uses SSL. Is there anyway we can avoid SSL to build this CLient. We do not want to use SSL and use stunnel instead
private CloseableHttpAsyncClient createHttpClient() {
//default timeouts are all infinite
RequestConfig.Builder requestConfigBuilder = RequestConfig.custom()
.setConnectTimeout(DEFAULT_CONNECT_TIMEOUT_MILLIS)
.setSocketTimeout(DEFAULT_SOCKET_TIMEOUT_MILLIS);
if (requestConfigCallback != null) {
requestConfigBuilder = requestConfigCallback.customizeRequestConfig(requestConfigBuilder);
}

    try {
        HttpAsyncClientBuilder httpClientBuilder = HttpAsyncClientBuilder.create().setDefaultRequestConfig(requestConfigBuilder.build())
            //default settings for connection pooling may be too constraining
            .setMaxConnPerRoute(DEFAULT_MAX_CONN_PER_ROUTE).setMaxConnTotal(DEFAULT_MAX_CONN_TOTAL)
            .setSSLContext(SSLContext.getDefault())
            .setTargetAuthenticationStrategy(new PersistentCredentialsAuthenticationStrategy());
        if (httpClientConfigCallback != null) {
            httpClientBuilder = httpClientConfigCallback.customizeHttpClient(httpClientBuilder);
        }

        final HttpAsyncClientBuilder finalBuilder = httpClientBuilder;
        return AccessController.doPrivileged((PrivilegedAction<CloseableHttpAsyncClient>) finalBuilder::build);
    } catch (NoSuchAlgorithmException e) {
        throw new IllegalStateException("could not create the default ssl context", e);
    }
}

If your cluster don't use ssl and your cluster configurations are correct, maybe you can try this:
https://www.elastic.co/guide/en/elasticsearch/client/java-rest/7.8/java-rest-high-getting-started-initialization.html

i tried this RestClientBuilder restClientBuilder = RestClient. builder ( new HttpHost("localhost", 9200, "http"));

client = new RestHighLevelClient(restClientBuilder);
but still the same issue.
Caused by: java.lang.IllegalStateException: could not create the default ssl context
at org.elasticsearch.client.RestClientBuilder.createHttpClient(RestClientBuilder.java:221)

it goes to createHttpClient and there i see .setSSLContext(SSLContext.getDefault()) is being used to build http. I think this error is due to that ssl. how can we avoid this.

You can check the configuration in you cluster if there are some configuration like this: xpack.security.transport.ssl.*:

Hmm checked yml fime but nothing related to ssl is set.

Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)

at java.security.Provider$Service.newInstance(Provider.java:1617)

at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)

at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)

at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)

at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)

at org.elasticsearch.client.RestClientBuilder.createHttpClient(RestClientBuilder.java:212)

... 8 more

Caused by: java.io.IOException: load failed

at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:766)

at java.security.KeyStore.load(KeyStore.java:1445)

at sun.security.ssl.SSLContextImpl$DefaultManagersHolder.getKeyManagers(SSLContextImpl.java:965)

at sun.security.ssl.SSLContextImpl$DefaultManagersHolder.(SSLContextImpl.java:864)

at sun.security.ssl.SSLContextImpl$DefaultSSLContext.(SSLContextImpl.java:1027)

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

at java.lang.reflect.Constructor.newInstance(Constructor.java:423)

at java.security.Provider$Service.newInstance(Provider.java:1595)

... 13 more

Caused by: javax.security.auth.login.LoginException: no password provided, and no callback handler available for retrieving password

at sun.security.pkcs11.SunPKCS11.login(SunPKCS11.java:1188)

at sun.security.pkcs11.P11KeyStore.login(P11KeyStore.java:864)

at sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:751)

... 22 more

In my local environment,I comment the configuration:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

and then I wrote a demo to get the healthy info of the cluster, the code is following:

public static void main(String[] args) {
    RestHighLevelClient client = new RestHighLevelClient(
        RestClient.builder(
            new HttpHost("localhost", 9200, "http")));
    ClusterHealthRequest request = new ClusterHealthRequest();
    try{
      ClusterHealthResponse response = client.cluster().health(request, RequestOptions.DEFAULT);
      System.out.println("cluster name: " +response.getClusterName() + " cluster health status: " +response.getStatus());
    }catch (Exception e){
      e.printStackTrace();
    }

  }

there was no error in the result.

i just ran the program you wrote above in my IDE and got the below error. we are using apache license. In which file do we have to comment the xpack settings.
SampleESClient

client*** org.elasticsearch.client.RestHighLevelClient@797b0699

java.net.ConnectException: Connection refused

at org.elasticsearch.client.RestClient.extractAndWrapCause(RestClient.java:823)

at org.elasticsearch.client.RestClient.performRequest(RestClient.java:248)

at org.elasticsearch.client.RestClient.performRequest(RestClient.java:235)

at org.elasticsearch.client.RestHighLevelClient.internalPerformRequest(RestHighLevelClient.java:1611)

at org.elasticsearch.client.RestHighLevelClient.performRequest(RestHighLevelClient.java:1581)

at org.elasticsearch.client.RestHighLevelClient.performRequestAndParseEntity(RestHighLevelClient.java:1551)

at org.elasticsearch.client.ClusterClient.health(ClusterClient.java:130)

at SampleESClient.java:21)

Caused by: java.net.ConnectException: Connection refused

at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method)

at sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:717)

at org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor.processEvent(DefaultConnectingIOReactor.java:173)

at org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor.processEvents(DefaultConnectingIOReactor.java:147)

at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor.execute(AbstractMultiworkerIOReactor.java:350)

at org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager.execute(PoolingNHttpClientConnectionManager.java:221)

at org.apache.http.impl.nio.client.CloseableHttpAsyncClientBase$1.run(CloseableHttpAsyncClientBase.java:64)

at java.lang.Thread.run(Thread.java:748)

we have pkcs11 enable at apache tomcat level. is that an issue.

Hi Sunxi,

we are just creating HttpClient, can you please let me know why do we need SSL. The RestCLientBuilder's createHttpClient method calls SSLContext.getDefault, just wanted to check why we need SSL here. This is where my code is erroring out.
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)

at org.elasticsearch.client.RestClientBuilder.createHttpClient(RestClientBuilder.java:212)

maybe, I think something wrong in your configuration

Do I have to remove transport jar ; i am still keeping transport jar along with rest client. I will remove it eventually but this should not cause any issues right.
org.elasticsearch.client
transport
{elasticsearch.version}</version> <exclusions> <exclusion> <groupId>org.elasticsearch.plugin</groupId> <artifactId>transport-netty4-client</artifactId> </exclusion> <exclusion> <groupId>org.elasticsearch.plugin</groupId> <artifactId>transport-netty3-client</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.elasticsearch.client</groupId> <artifactId>elasticsearch-rest-high-level-client</artifactId> <version>{elasticsearch.version}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.