Invalid SSL cert error when connecting to elasticsearch using DBeaver

I have trouble using SSL keystore or truststore to connect to Elasticsearch client using DBeaver. This is an elastic stack on k8s installation on my local machine. I followed the official tutorial to set up a connection using DBeaver, but I have trouble figuring out how to make SSL validation work.

I logged into the elasticsearch pod, downloaded the cert and key at /usr/share/elasticsearch/config/http-certs/tls.crt and /usr/share/elasticsearch/config/http-certs/tls.key. I combined them into a p12 format using this command:

openssl pkcs12 -export -in combined.pem -out cert.p12

elasticsearch.config:

http:
  ssl:
    certificate: /usr/share/elasticsearch/config/http-certs/tls.crt
    certificate_authorities: /usr/share/elasticsearch/config/http-certs/ca.crt
    enabled: true
    key: /usr/share/elasticsearch/config/http-certs/tls.key
transport:
  ssl:
    certificate: /usr/share/elasticsearch/config/node-transport-cert/transport.tls.crt
    certificate_authorities:
    - /usr/share/elasticsearch/config/transport-certs/ca.crt
    - /usr/share/elasticsearch/config/transport-remote-certs/ca.crt
    enabled: "true"
    key: /usr/share/elasticsearch/config/node-transport-cert/transport.tls.key
    verification_mode: certificate

However, I'm getting this invalid cert error:

Screenshot_2021-07-13_16-55-221236×399 40.5 KB

These are the driver parameters:

Screenshot_2021-07-13_16-56-20762×520 32.8 KB

What certs do I need in order to pass the cert check? I wish there was an insecure flag to ignore the validation since it runs in localhost.

Hello Fong_Ng,

Try to import the SSL certificate in the Java keystore.
%JAVA_HOME%/bin/keytool -import -keystore %JAVA_HOME%/lib/security/cacerts -file certifcate.crt -alias elk

Regards,
Kevin

You have added the Elasticsearch certificate and key as a keystore in DBeaver. However, what you should be doing here is adding the certificate (or even better the CA) to DBeaver's truststore.

As @kpe has suggested, you should use keytool for this, but you might not want to add it to the JVM's cacerts.

You can do:

keytool -import -keystore elasticsearch.p12 -file /usr/share/elasticsearch/config/http-certs/ca.crt

And then in the DBeaver driver parameters, set ssl.truststore.location to point to your new elasticsearch.p12

Thank you for the answers. This problem is solved.

These are the steps to solve the invalid cert error:

• Get the content of ca.cert of a k8s secret named ES_NAME-es-http-certs-public.

• Save the CA cert content to a file (e.g /home/my/ca.crt) on my desktop

• Run keytool -import -keystore elasticsearch.p12 -file /home/my/ca.crt and set a password for the truststore file.

• Enter the related Dbeaver driver parameters:

ssl.truststore.location - /home/my/ca.crt
ssl.truststore.password - YOUR_PASSWORD
ssl.truststore.type - PKCS12

• Add this line to /etc/hosts on my desktop:

127.0.0.1       ES_NAME-es-http.default.svc

I port forward connection from the k8s cluster to my desktop. At first when the DBeaver connected to the elasticsearch via jdbc:es://https://127.0.0.1:9200/ I got this error:

No subject alternative DNS name matching

I have to use jdbc:es://https://ES_NAME-es-http.default.svc:9200/ instead, and that requires adding that line to /etc/hosts. The ES_NAME-es-http is the service name of the es cluster, and default is the namespace where the service is located.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.