When I start the server, access through http is ok, but through https I got error: ERR_INVALID_HTTP_RESPONSE (in browser)
and in curl
This is not a HTTP portcurl: (56) Failure when receiving data from the peer
or
(35) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
depending on commands I tried to use.
Could someone help me, please, to reveal the wrong or missed parts in the configuration?
and also add the relevant keystore and truststore paths as you have done for the transport layer. See the documentation for details.
Your keys/certificates/keystores/truststores must be placed within the Elasticsearch configuration directory, so you cannot place them in D:\Program Files\Elastic\6.2.4\bin\ . Note that you can also use relative paths to the Elasticsearch configuration directory (Which judging by the information you shared should be D:\Program Files\Elastic\6.2.4\config )
I have made the changes you suggest, but now I have http connection broken too, but it's ok
I placed certificate into config folder, registered it from there, and my config strings now looks like:
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
During the start elasticsearch show me the warnings:
[2018-08-30T15:33:59,730][WARN ][o.e.x.s.t.n.SecurityNetty4ServerTransport] [ololo] client did not trust this server's certificate, closing connection NettyTcpChannel{localAddress=0.0.0.0/0.0.0.0:59205, remoteAddress=/0:0:0:0:0:0:0:1:5032}
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
[2018-08-30T15:34:00,628][WARN ][o.e.x.s.t.n.SecurityNetty4ServerTransport] [ololo] client did not trust this server's certificate, closing connection NettyTcpChannel{localAddress=0.0.0.0/0.0.0.0:59205, remoteAddress=/0:0:0:0:0:0:0:1:5033}
[2018-08-30T15:34:01,622][WARN ][o.e.x.s.t.n.SecurityNetty4ServerTransport] [ololo] client did not trust this server's certificate, closing connection NettyTcpChannel{localAddress=0.0.0.0/0.0.0.0:59205, remoteAddress=/0:0:0:0:0:0:0:1:5034}
It looks like it tires to enumerate several ports on remote address and stops after 3 errors. I really have not this ports opened on my server, should I configure another ports (and how to do this if so)?
You cannot connect to elasticsearch both via https and http. If you enable TLS for the http layer, you can't connect via http any more. This is expected and desired.
These are irrelevant to the http layer.
No, not really, this doesn't have to do with the ports being open or not. This is about the certificate that is used in the transport layer not being trusted.
Can you please share your updated configuration ?
Is this the only ES node in your cluster?
Which port are you using when trying to access Elasticsearch over https?
Can you share a larger part of the logs ? ( Please use the </> button to wrap your logs. )
I have tried to use port 59205, but it seems to be wrong, as "The transport module is used for internal communication between nodes within the cluster".
When I tried to use http port 9200 for accessing elasticsearch via https it finally give me a desired json data.
And now I'm able to send data using the address like https://my_ip:9200/index/doc
Thank you very much, ikakavas, you helped me a lot!
Yes this is wrong. This is the port for the transport layer, this is where other elasticsearch nodes in your cluster can communicate to. As you figured out, 9200 is the default port for the http layer (whether or not http is over TLS )
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
