Invalid SSL cert error when connecting to elasticsearch using DBeaver

I have trouble using SSL keystore or truststore to connect to Elasticsearch client using DBeaver. This is an elastic stack on k8s installation on my local machine. I followed the official tutorial to set up a connection using DBeaver, but I have trouble figuring out how to make SSL validation work.

I logged into the elasticsearch pod, downloaded the cert and key at /usr/share/elasticsearch/config/http-certs/tls.crt and /usr/share/elasticsearch/config/http-certs/tls.key. I combined them into a p12 format using this command:

openssl pkcs12 -export -in combined.pem -out cert.p12

elasticsearch.config:

http:
  ssl:
    certificate: /usr/share/elasticsearch/config/http-certs/tls.crt
    certificate_authorities: /usr/share/elasticsearch/config/http-certs/ca.crt
    enabled: true
    key: /usr/share/elasticsearch/config/http-certs/tls.key
transport:
  ssl:
    certificate: /usr/share/elasticsearch/config/node-transport-cert/transport.tls.crt
    certificate_authorities:
    - /usr/share/elasticsearch/config/transport-certs/ca.crt
    - /usr/share/elasticsearch/config/transport-remote-certs/ca.crt
    enabled: "true"
    key: /usr/share/elasticsearch/config/node-transport-cert/transport.tls.key
    verification_mode: certificate

However, I'm getting this invalid cert error:

These are the driver parameters:

What certs do I need in order to pass the cert check? I wish there was an insecure flag to ignore the validation since it runs in localhost.

Hello Fong_Ng,

Try to import the SSL certificate in the Java keystore.
%JAVA_HOME%/bin/keytool -import -keystore %JAVA_HOME%/lib/security/cacerts -file certifcate.crt -alias elk

Regards,
Kevin

1 Like

You have added the Elasticsearch certificate and key as a keystore in DBeaver. However, what you should be doing here is adding the certificate (or even better the CA) to DBeaver's truststore.

As @kpe has suggested, you should use keytool for this, but you might not want to add it to the JVM's cacerts.

You can do:

keytool -import -keystore elasticsearch.p12 -file /usr/share/elasticsearch/config/http-certs/ca.crt

And then in the DBeaver driver parameters, set ssl.truststore.location to point to your new elasticsearch.p12

2 Likes

Thank you for the answers. This problem is solved.

These are the steps to solve the invalid cert error:

  • Get the content of ca.cert of a k8s secret named ES_NAME-es-http-certs-public.

  • Save the CA cert content to a file (e.g /home/my/ca.crt) on my desktop

  • Run keytool -import -keystore elasticsearch.p12 -file /home/my/ca.crt and set a password for the truststore file.

  • Enter the related Dbeaver driver parameters:

ssl.truststore.location - /home/my/ca.crt
ssl.truststore.password - YOUR_PASSWORD
ssl.truststore.type - PKCS12

  • Add this line to /etc/hosts on my desktop:
127.0.0.1       ES_NAME-es-http.default.svc

I port forward connection from the k8s cluster to my desktop. At first when the DBeaver connected to the elasticsearch via jdbc:es://https://127.0.0.1:9200/ I got this error:

No subject alternative DNS name matching

I have to use jdbc:es://https://ES_NAME-es-http.default.svc:9200/ instead, and that requires adding that line to /etc/hosts. The ES_NAME-es-http is the service name of the es cluster, and default is the namespace where the service is located.