Hostname verification turn off for curl requests

Hello Elastic,

I'm setting up new elastic cluster with security with certificates. However when doing curl requests its not working out, any help on this will be much appreciated.
elasticsearch.yml :

node.name=${HOSTNAME}
node.master=true
node.data=false
http.cors.enabled=true
http.cors.allow-origin=*
ES_JAVA_OPTS=-Xms5g -Xmx5g
discovery.zen.ping.unicast.hosts=es-master
discovery.zen.minimum_master_nodes=2
cluster.routing.allocation.awareness.attributes=rack_id
cluster.name=es-cluster
cluster.initial_master_nodes=es-master-0, es-master-1, es-master-3
xpack.security.enabled=true
xpack.security.transport.ssl.enabled=true
xpack.security.transport.ssl.verification_mode=certificate
xpack.security.transport.ssl.keystore.path=certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path=certs/elastic-certificates.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.client_authentication: optional
1 Like

This is normal and expected. You are using a certificate that you have generated yourself signed by a Certificate Authority that you have also generated youself and curl is by default using your OS truststore, that obviously knows nothing about this custom Certificate Authority.

  1. You can use the -k flag with curl that will disable verification of the server's certificate or, even better
  2. a. Export the CA certificate from the PKCS#12 bundle you have with
    openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys | sed '/-----BEGIN CERTIFICATE-----/,$!d' > cacert.crt
    b. Run curl with --cacert cacert.crt so that it can validate the server's certificate correctly
1 Like

Im trying to curl the request from browser and its failing, also cant able to connect using elastic head browser plugin.

The only mention of hostname verification in that blog post that I can find is

Also note that the -k option is required as we did not create certificates with the hostnames specified, and therefore hostname verification must be turned off.

which is equivalent to what I'm saying in 1. above. Not sure what you mean, but please feel free to elaborate and add some detail to your question

Is there any way to disable that from elastic side?

You can't configure curl's behavior in elasticsearch, so I'm not really sure what you are asking. Hostname verification is something that the client ( curl ) does, how would you configure this in elasticsearch ?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.