Hostname verification turn off for curl requests

akshay_singh2 · November 28, 2019, 6:50am

Hello Elastic,

I'm setting up new elastic cluster with security with certificates. However when doing curl requests its not working out, any help on this will be much appreciated.
elasticsearch.yml :

node.name=${HOSTNAME}
node.master=true
node.data=false
http.cors.enabled=true
http.cors.allow-origin=*
ES_JAVA_OPTS=-Xms5g -Xmx5g
discovery.zen.ping.unicast.hosts=es-master
discovery.zen.minimum_master_nodes=2
cluster.routing.allocation.awareness.attributes=rack_id
cluster.name=es-cluster
cluster.initial_master_nodes=es-master-0, es-master-1, es-master-3
xpack.security.enabled=true
xpack.security.transport.ssl.enabled=true
xpack.security.transport.ssl.verification_mode=certificate
xpack.security.transport.ssl.keystore.path=certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path=certs/elastic-certificates.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.client_authentication: optional

ikakavas · November 28, 2019, 8:01am

This is normal and expected. You are using a certificate that you have generated yourself signed by a Certificate Authority that you have also generated youself and curl is by default using your OS truststore, that obviously knows nothing about this custom Certificate Authority.

You can use the -k flag with curl that will disable verification of the server's certificate or, even better
a. Export the CA certificate from the PKCS#12 bundle you have with
openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys | sed '/-----BEGIN CERTIFICATE-----/,$!d' > cacert.crt
b. Run curl with --cacert cacert.crt so that it can validate the server's certificate correctly

akshay_singh2 · November 28, 2019, 9:08am

Im trying to curl the request from browser and its failing, also cant able to connect using elastic head browser plugin.

ikakavas · November 28, 2019, 9:33am

The only mention of hostname verification in that blog post that I can find is

Also note that the -k option is required as we did not create certificates with the hostnames specified, and therefore hostname verification must be turned off.

which is equivalent to what I'm saying in 1. above. Not sure what you mean, but please feel free to elaborate and add some detail to your question

akshay_singh2 · November 28, 2019, 10:21am

Is there any way to disable that from elastic side?

ikakavas · November 28, 2019, 10:39am

You can't configure curl's behavior in elasticsearch, so I'm not really sure what you are asking. Hostname verification is something that the client ( curl ) does, how would you configure this in elasticsearch ?

system · December 26, 2019, 10:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Curl against an encrypted Elasticsearch instance with certificate verification Elasticsearch	2	15336	November 8, 2020
Host name does not match the certificate Elasticsearch elastic-stack-security	3	3208	May 7, 2021
Disabling Hostname Verification on Elasticsearch 7.16 Outbound Connections Elasticsearch	5	1262	May 10, 2023
Need help in - TLS in elastic cluster settings Elasticsearch elastic-stack-security	2	586	December 30, 2018
Unable to setup PKI Authentication Elasticsearch elastic-stack-security	6	491	September 25, 2020

Hostname verification turn off for curl requests

Related Topics