I have trouble using SSL keystore or truststore to connect to Elasticsearch client using DBeaver. This is an elastic stack on k8s installation on my local machine. I followed the official tutorial to set up a connection using DBeaver, but I have trouble figuring out how to make SSL validation work.
I logged into the elasticsearch pod, downloaded the cert and key at /usr/share/elasticsearch/config/http-certs/tls.crt and /usr/share/elasticsearch/config/http-certs/tls.key. I combined them into a p12 format using this command:
Try to import the SSL certificate in the Java keystore.
%JAVA_HOME%/bin/keytool -import -keystore %JAVA_HOME%/lib/security/cacerts -file certifcate.crt -alias elk
You have added the Elasticsearch certificate and key as a keystore in DBeaver. However, what you should be doing here is adding the certificate (or even better the CA) to DBeaver's truststore.
As @kpe has suggested, you should use keytool for this, but you might not want to add it to the JVM's cacerts.
I port forward connection from the k8s cluster to my desktop. At first when the DBeaver connected to the elasticsearch via jdbc:es://https://127.0.0.1:9200/ I got this error:
No subject alternative DNS name matching
I have to use jdbc:es://https://ES_NAME-es-http.default.svc:9200/ instead, and that requires adding that line to /etc/hosts. The ES_NAME-es-http is the service name of the es cluster, and default is the namespace where the service is located.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.