Permission to add GoogleDrive to WorkplaceSearch

I am looking to add GoogleDrive to WorkplaceSerch.

Referring to the following URL, I received instructions to create an OAuth application with my organization's GoogleDriveAccount, so I went to the linked GoogleCloudPlatform OAuth consent screen, but the following message appears and I cannot create it.

An error occurred while loading /apis/credentials/consent?folder=&organizationId=657266259636&project=&supportedpurview=project.

One or more of the following required permissions are missing.
Project

clientauthconfig.brands.get
oauthconfig.testusers.get
oauthconfig.verification.get
resourcemanager.projects.get

What permissions do I need?

Hey @its-ogawa,

Just so I can be sure, can you describe the specific step in the setup where you encounter that error? Is it at the very beginning where you're prompted to head to: https://console.developers.google.com/?

In general you want to make sure you're setting up the connection with a team-owned admin account. That way indexed files wont be limited to one specific user's visibility to Google Drive.

Ross

Yeah. I think it started from the beginning.

Here are the steps that caused the error.

1. go to WorkplaceSearch > Sources > Google Drive
   http://XXX.XXX.XXX.XXX:3002/ws#/org/sources/add/google-drive

2. click on "Configure Google Drive

3. select [Google Drive Application Portal] and go to Google Cloud Platform

4. select my project

5. Go to APIs and Services > OAuth Consent screen

An error will occur at this point. (Message shown earlier)

I want to use it as a team, as you said, but what is a team-owned admin account?

Please let me know what permissions are required.

Hey @its-ogawa,

I've never encountered that error message. You could try changing the selected "Project" at the top of the page, or create a new one to see if you experience the same issue.

Can you confirm this is an organization using G Suite, and not a personal GMail account?

When I mentioned "a team-owned admin account", that's just to explain that it's recommended that the account you use to configure the Google Drive side of the connection should have whatever G Suite's version of admin permissions are called. This is often an account owned by your team that isn't tied to any specific person. This way the connection will have access to index all content from your team's Google Drive, and not some limited subset that only your individual account has access to.

I hope that helps.

Ross

You could try changing the selected "Project" at the top of the page, or create a new one to see if you experience the same issue.

There was only one project in use by my company.
Will creating a new project cause existing files stored in Drive to be searched?

Can you confirm this is an organization using G Suite, and not a personal GMail account?

I think it's G Suite because the address below @ is "company name" + ".com".

I've given the same explanation to Google support, but the only answer I've gotten is "We've given you the proper permissions, so you should be able to use it", and the situation hasn't changed.
I am very troubled.

I would actually recommend creating a new/separate project in Google's cloud console. That way you can change settings in the new project without affecting anything else. Let me know if that helps!

I think you're correct in that it's G Suite if you're using a non-GMail address.

I finally got the permission to create a project and created a new project, WorkplaceSearchProject.
I gave me the OAuth Config editor owner permissions and got my OAuth credentials (client ID and client secret).

Using this credentials, in WorkplaceSearch, I added the GoogleDrive content source, but when I press the "Connect to Google Drive" button, I get the following error.

Authorization Error
Error 400: invalid_request
Invalid parameter value for redirect_uri: Raw IP addresses not allowed: http://MY_SERVER:3002/ws/org/sources/google_drive/create

What other steps do I need to take?

It's tough for me to tell if that's a Google oauth error or a Workplace Search error. Do you receive this error during the oauth step with Google, or while you're still in Workplace Search? It's possible Google oauth doesn't allow IP addresses for redirect_uri values, and instead wants a hostname.

Did Google cloud console let you enter just an IP address as a redirect URI? The docs describe this at step 12 here.

Do you receive this error during the oauth step with Google, or while you're still in Workplace Search?

The timing of the error is when I click "Connect GoogleDrive" in WorkplaceSearch, but the message is so abstract that I don't really know how to deal with it.

It's possible Google oauth doesn't allow IP addresses for redirect_uri values, and instead wants a hostname.

You are right about this.
The documentation said Unsecured, but IP addresses were explicitly not allowed to be entered.
Hence, I am using NGINX reverse proxy to specify the hostname.

Did Google cloud console let you enter just an IP address as a redirect URI?

I am also referring to that document.
However, there seems to be a big gap between "Step 3" and "Step 4" of "Connecting Google Drive to Workplace Search".

Does your ent_search.external_url config value in config/enterprise-search.yml match the hostname you're using? I'm now confident Google's developer console wont allow raw IP addresses as you mention. I'm wondering if your Enterprise Search configuration isn't properly using your hostname, such that it still presents a raw IP address to Google Drive's oauth flow when attempting to create the connection.

Does your ent_search.external_url config value in config/enterprise-search.yml match the hostname you're using?

It is my belief that they probably match.

I am using NGINX reverse proxy to assign the URL.
Specifically, I have the following settings.

$ vi /etc/nginx/conf.d/ssl.conf
server {
    listen       443 ssl;
    server_name  MY_SERVER;

... snip ...
    location /kibana/ {
        proxy_pass   http://127.0.0.1:5601/;
    }

    location /workplacesearch/ {
        proxy_pass   http://127.0.0.1:3002/;
    }
... snip ...
}

$ vi /usr/share/enterprise-search/config/enterprise-search.yml
... snip ...
ent_search.external_url: https://MY_SERVER/workplacesearch
... snip ...

I'm wondering if your Enterprise Search configuration isn't properly using your hostname, such that it still presents a raw IP address to Google Drive's oauth flow when attempting to create the connection.

Is there anything else that needs to be configured?

Is it possible that the ent_search.external_url in my enterprise-search.yml is not well written?

I have seen the following error message.

$ /usr/share/enterprise-search//bin/enterprise-search reload
Found java executable in PATH
Java version detected: 1.8.0_282 (major version: 8)
Enterprise Search is starting...

--------------------------------------------------------------------------------

Invalid config file (/usr/share/enterprise-search/config/enterprise-search.yml):
The setting '#/ent_search/external_url' cannot have a path: 'https://MY_SERVER/workplacesearch'

--------------------------------------------------------------------------------

That setting can't contain a url path. It needs to be just https://MY_SERVER. It can also include a port.

Thanks for the advice.

Do you suggest me to write the following ?

$ vi /usr/share/enterprise-search/config/enterprise-search.yml
... snip ...
ent_search.external_url: https://MY_SERVER/
... snip ...

It seemed to work, but at the end I get the following error
What does this mean? What else am I missing?

$ /usr/share/enterprise-search/bin/enterprise-search reload
... snip ...
Error: Failed to bind to /MY_SERVER:3002 at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(org/eclipse/jetty/server/ServerConnector.java:349)
        org.eclipse.jetty.server.ServerConnector.open(org/eclipse/jetty/server/ServerConnector.java:310)
        org.eclipse.jetty.server.AbstractNetworkConnector.doStart(org/eclipse/jetty/server/AbstractNetworkConnector.java:80)
        org.eclipse.jetty.server.ServerConnector.doStart(org/eclipse/jetty/server/ServerConnector.java:234)
        org.eclipse.jetty.util.component.AbstractLifeCycle.start(org/eclipse/jetty/util/component/AbstractLifeCycle.java:72)
        org.eclipse.jetty.server.Server.doStart(org/eclipse/jetty/server/Server.java:401)
        org.eclipse.jetty.util.component.AbstractLifeCycle.start(org/eclipse/jetty/util/component/AbstractLifeCycle.java:72)
        java.lang.reflect.Method.invoke(java/lang/reflect/Method.java:498)
        org.jruby.javasupport.JavaMethod.invokeDirectWithExceptionHandling(org/jruby/javasupport/JavaMethod.java:426)
        org.jruby.javasupport.JavaMethod.invokeDirect(org/jruby/javasupport/JavaMethod.java:293)
        RUBY.start(/usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/jetty_server.class:42)
        RUBY.start_application_server(/usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/app_server_command.class:61)
        RUBY.run(/usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/app_server_command.class:31)
        RUBY.run_and_exit(/usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/command.class:10)
        RUBY.run_supported_command(/usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:143)
        RUBY.run_command(/usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:125)
        RUBY.run!(/usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:112)
        bin.enterprise_minus_search_minus_internal.invokeOther11:run!(bin/enterprise-search-internal:15)
        bin.enterprise_minus_search_minus_internal.<main>(bin/enterprise-search-internal:15)
        java.lang.invoke.MethodHandle.invokeWithArguments(java/lang/invoke/MethodHandle.java:627)
        org.jruby.Ruby.runScript(org/jruby/Ruby.java:1205)
        org.jruby.Ruby.runNormally(org/jruby/Ruby.java:1128)
        org.jruby.Ruby.runNormally(org/jruby/Ruby.java:1146)
        org.jruby.Ruby.runFromMain(org/jruby/Ruby.java:958)
        org.jruby.Main.doRunFromMain(org/jruby/Main.java:412)
        org.jruby.Main.internalRun(org/jruby/Main.java:304)
        org.jruby.Main.run(org/jruby/Main.java:234)
        org.jruby.Main.main(org/jruby/Main.java:206)

Hi @its-ogawa,

I have a few questions for you.

First, are you really running bin/enterprise-search reload? That's not a command that I recognize for our executable - have you edited that file? Or is that a typo?

Second, I notice that this forum post has been going on for more than a week. We're happy to keep helping here, but do you have a support relationship with Elastic? If you're a paying customer, you may find that Elastic Support may be faster to help you work through this.

Third, the Failed to bind error may mean a number of things. It could mean that you already have something else running on port 3002 on your server. It could mean that you already have Enterprise Search up and running, and you need to stop/kill the running process before you try to start another one. Or it could mean that your server's network settings are such that processes are not allowed to bind to port 3002 at all. Might any of these apply?

Supporting Sean in what he said above. Also, it would be helpful to see how you rewrote that nginx ssl config file to get rid of the path in the workplace search URL? And could you make sure to provide the full stacktrace of the error?

@Sean_Story
Thank you for your answer.
Thank you in advance.

I will answer your question.

First, are you really running bin/enterprise-search reload? That's not a command that I recognize for our executable - have you edited that file? Or is that a typo?

I am getting the following output results with this command.

$ /usr/share/enterprise-search/bin/enterprise-search reload
Found java executable in PATH
Java version detected: 1.8.0_282 (major version: 8)
Enterprise Search is starting...
[2021-06-08T00:35:21.384+00:00][30889][2002][app-server][INFO]: Enterprise Search version=7.12.1, JRuby version=9.2.13.0, Ruby version=2.5.7, Rails version=4.2.11.3
[2021-06-08T00:35:21.393+00:00][30889][2002][app-server][INFO]: Performing pre-flight checks for Elasticsearch running on http://XXX.XXX.XXX.XXX:9200...
[2021-06-08T00:35:21.784+00:00][30889][2002][app-server][INFO]: [pre-flight] Successfully connected to Elasticsearch
[2021-06-08T00:35:21.816+00:00][30889][2002][app-server][INFO]: [pre-flight] Successfully loaded Elasticsearch plugin information for all nodes
[2021-06-08T00:35:21.846+00:00][30889][2002][app-server][INFO]: [pre-flight] Elasticsearch running with an active basic license
[2021-06-08T00:35:21.889+00:00][30889][2002][app-server][INFO]: [pre-flight] Elasticsearch API key service is enabled
[2021-06-08T00:35:21.891+00:00][30889][2002][app-server][INFO]: [pre-flight] ILM is enabled in Elasticsearch
[2021-06-08T00:35:21.893+00:00][30889][2002][app-server][INFO]: Elasticsearch looks healthy and configured correctly to run Enterprise Search
[2021-06-08T00:35:32.150+00:00][30889][2002][app-server][INFO]: [db_lock] [installation] Status: [Starting] Ensuring migrations tracking index exists
[2021-06-08T00:35:32.227+00:00][30889][2002][app-server][INFO]: [db_lock] [installation] Status: [Finished] Ensuring migrations tracking index exists
[2021-06-08T00:35:33.767+00:00][30889][2002][app-server][INFO]: Enterprise Search indices are ready
2021-06-08 09:35:35.068:INFO::main: Logging initialized @27552ms to org.eclipse.jetty.util.log.StdErrLog
[2021-06-08T00:35:35.301+00:00][30889][2002][app-server][INFO]: Starting HTTP server...
2021-06-08 09:35:35.309:INFO:oejs.Server:main: jetty-9.4.33.v20201020; built: 2020-10-20T23:39:24.803Z; git: 1be68755656cef678b79a2ef1c2ebbca99e25420; jvm 1.8.0_282-b08
2021-06-08 09:35:35.338:INFO:oejshC.ROOT:main: INFO: jruby 9.2.13.0 (2.5.7) 2020-08-03 9a89c94bcc OpenJDK 64-Bit Server VM 25.282-b08 on 1.8.0_282-b08 +jit [linux-x86_64]
2021-06-08 09:35:35.339:INFO:oejshC.ROOT:main: INFO: using a shared (threadsafe!) runtime
[2021-06-08T00:35:40.906+00:00][30889][2150][app-server][INFO]: Enterprise Search version=7.12.1, JRuby version=9.2.13.0, Ruby version=2.5.7, Rails version=4.2.11.3
[2021-06-08T00:35:40.908+00:00][30889][2150][app-server][INFO]: Performing pre-flight checks for Elasticsearch running on http://XXX.XXX.XXX.XXX:9200...
[2021-06-08T00:35:41.194+00:00][30889][2150][app-server][INFO]: [pre-flight] Successfully connected to Elasticsearch
[2021-06-08T00:35:41.227+00:00][30889][2150][app-server][INFO]: [pre-flight] Successfully loaded Elasticsearch plugin information for all nodes
[2021-06-08T00:35:41.248+00:00][30889][2150][app-server][INFO]: [pre-flight] Elasticsearch running with an active basic license
[2021-06-08T00:35:41.300+00:00][30889][2150][app-server][INFO]: [pre-flight] Elasticsearch API key service is enabled
[2021-06-08T00:35:41.300+00:00][30889][2150][app-server][INFO]: [pre-flight] ILM is enabled in Elasticsearch
[2021-06-08T00:35:41.302+00:00][30889][2150][app-server][INFO]: Elasticsearch looks healthy and configured correctly to run Enterprise Search
[2021-06-08T00:35:51.204+00:00][30889][2150][app-server][INFO]:

#########################################################

Success! Elastic Enterprise Search is starting successfully.

In a few moments, you'll be able to login at the following address:

* URL: http://XXX.XXX.XXX.XXX:3002
  * If this is your first time starting Enterprise Search, check the console output above for your user authentication credentials.
  * Visit the documentation: https://www.elastic.co/guide/en/enterprise-search

Secret session key has been generated.

Set the key in your config file to persist user sessions through process restarts:

secret_session_key: 002383aa0f8211c3291876400e77cb665b22c4cbc4242e50eb7b8707c9d0ced15727a99fdfb1c266a27573e95e79013c6931af50c6b6fcda044afa47af7ae9e4


#########################################################



2021-06-08 09:35:52.219:INFO:oejshC.ROOT:main: INFO: [org.kares.jruby.rack.DefaultWorkerManager] started 4 worker(s)
[2021-06-08T00:35:52.224+00:00][30889][2306][app-server][INFO]: [workers] Starting EsqueuesMe background jobs...
[2021-06-08T00:35:52.224+00:00][30889][2304][app-server][INFO]: [workers] Configuring periodic background jobs...
[2021-06-08T00:35:52.224+00:00][30889][2300][app-server][INFO]: [workers] Starting EsqueuesMe background jobs...
[2021-06-08T00:35:52.230+00:00][30889][2306][worker][INFO]: Ensuring esqueues me queues exist
[2021-06-08T00:35:52.229+00:00][30889][2304][app-server][INFO]: [workers] Configuring background job CleanupHeartbeatIndex: {:execution_interval=>300, :timeout_interval=>30, :run_now=>false}
2021-06-08 09:35:52.232:INFO:oejsh.ContextHandler:main: Started o.e.j.s.ServletContextHandler@62593536{/,file:///usr/share/enterprise-search/lib/war/,AVAILABLE}
[2021-06-08T00:35:52.232+00:00][30889][2300][worker][INFO]: Ensuring esqueues me queues exist
[2021-06-08T00:35:52.224+00:00][30889][2302][app-server][INFO]: [workers] Starting EsqueuesMe background jobs...
[2021-06-08T00:35:52.236+00:00][30889][2304][app-server][INFO]: [workers] Configuring background job RefreshElasticsearchLicense: {:execution_interval=>60, :timeout_interval=>30, :run_now=>false}
[2021-06-08T00:35:52.236+00:00][30889][2302][worker][INFO]: Ensuring esqueues me queues exist
[2021-06-08T00:35:52.265+00:00][30889][2304][app-server][INFO]: [workers] Configuring background job RefreshFritoPieContentSources: {:execution_interval=>360, :timeout_interval=>30, :run_now=>true}
Unexpected exception while running Enterprise Search:
Error: Failed to bind to /XXX.XXX.XXX.XXX:3002 at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(org/eclipse/jetty/server/ServerConnector.java:349)
        org.eclipse.jetty.server.ServerConnector.open(org/eclipse/jetty/server/ServerConnector.java:310)
        org.eclipse.jetty.server.AbstractNetworkConnector.doStart(org/eclipse/jetty/server/AbstractNetworkConnector.java:80)
        org.eclipse.jetty.server.ServerConnector.doStart(org/eclipse/jetty/server/ServerConnector.java:234)
        org.eclipse.jetty.util.component.AbstractLifeCycle.start(org/eclipse/jetty/util/component/AbstractLifeCycle.java:72)
        org.eclipse.jetty.server.Server.doStart(org/eclipse/jetty/server/Server.java:401)
        org.eclipse.jetty.util.component.AbstractLifeCycle.start(org/eclipse/jetty/util/component/AbstractLifeCycle.java:72)
        java.lang.reflect.Method.invoke(java/lang/reflect/Method.java:498)
        org.jruby.javasupport.JavaMethod.invokeDirectWithExceptionHandling(org/jruby/javasupport/JavaMethod.java:426)
        org.jruby.javasupport.JavaMethod.invokeDirect(org/jruby/javasupport/JavaMethod.java:293)
        RUBY.start(/usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/jetty_server.class:42)
        RUBY.start_application_server(/usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/app_server_command.class:61)
        RUBY.run(/usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/app_server_command.class:31)
        RUBY.run_and_exit(/usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli/command.class:10)
        RUBY.run_supported_command(/usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:143)
        RUBY.run_command(/usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:125)
        RUBY.run!(/usr/share/enterprise-search/lib/war/shared_togo/lib/shared_togo/cli.class:112)
        bin.enterprise_minus_search_minus_internal.invokeOther11:run!(bin/enterprise-search-internal:15)
        bin.enterprise_minus_search_minus_internal.<main>(bin/enterprise-search-internal:15)
        java.lang.invoke.MethodHandle.invokeWithArguments(java/lang/invoke/MethodHandle.java:627)
        org.jruby.Ruby.runScript(org/jruby/Ruby.java:1205)
        org.jruby.Ruby.runNormally(org/jruby/Ruby.java:1128)
        org.jruby.Ruby.runNormally(org/jruby/Ruby.java:1146)
        org.jruby.Ruby.runFromMain(org/jruby/Ruby.java:958)
        org.jruby.Main.doRunFromMain(org/jruby/Main.java:412)
        org.jruby.Main.internalRun(org/jruby/Main.java:304)
        org.jruby.Main.run(org/jruby/Main.java:234)
        org.jruby.Main.main(org/jruby/Main.java:206)
[2021-06-08T00:35:52.273+00:00][30889][2304][app-server][INFO]: [workers] Configuring background job UpdateCustomSourcesConfig: {:execution_interval=>360, :timeout_interval=>30, :run_now=>true}
[2021-06-08T00:35:52.284+00:00][30889][2304][app-server][INFO]: [workers] Configuring background job DeleteOldFritoPieContentSourceJobs: {:execution_interval=>86400, :timeout_interval=>30, :run_now=>false}
[2021-06-08T00:35:52.286+00:00][30889][2304][app-server][INFO]: [workers] Configuring background job KeepFilebeatAlive: {:execution_interval=>300, :timeout_interval=>30, :run_now=>true}
[2021-06-08T00:35:52.285+00:00][30889][2170][app-server][INFO]: Running task: RefreshFritoPieContentSources
[2021-06-08T00:35:52.287+00:00][30889][2304][app-server][INFO]: [workers] Configuring background jobs for Workplace Search Connectors...
[2021-06-08T00:35:52.292+00:00][30889][2304][app-server][INFO]: [workers] Enabling non-custom Workplace Search content sources...
[2021-06-08T00:35:52.296+00:00][30889][2314][app-server][INFO]: Running task: UpdateCustomSourcesConfig
[2021-06-08T00:35:52.302+00:00][30889][2316][app-server][INFO]: Running task: KeepFilebeatAlive

I have not made any edits to bin/enterprise-search.
Isn't this a recommended command?
Do you expect me to simply systemctl restart enterprise-search?

Second, I notice that this forum post has been going on for more than a week. We're happy to keep helping here, but do you have a support relationship with Elastic? If you're a paying customer, you may find that Elastic Support may be faster to help you work through this.

Unfortunately, I do not have a support relationship with Elastic yet.
I would like to know what features are available in the basic license first.

I have already implemented ELK and am currently testing its usability with members of my company.
If it is well received, I would like to obtain a license to have a support relationship.

We would also like to introduce WorkplaceSearch as well as ELK, but we are struggling. I need your help.
Any advice would be appreciated.

Third, the Failed to bind error may mean a number of things. It could mean that you already have something else running on port 3002 on your server. It could mean that you already have Enterprise Search up and running, and you need to stop/kill the running process before you try to start another one. Or it could mean that your server's network settings are such that processes are not allowed to bind to port 3002 at all. Might any of these apply?

I think port 3002 is occupied by EnterpriseSearch.
There are no other processes running.
I am checking with the following command.

$ lsof -i:3002
COMMAND   PID USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
java    29909 root  205u  IPv6 156588026      0t0  TCP XXX.XXX.XXX.XXX.ap.38ns.net:exlm-agent (LISTEN)

How can I find out about network limitations?
What I can tell you is that with the IP address + port configuration, you can access WorkplaceSearch from a browser.
I assume this means that http connections are possible, but doesn't this mean that the 3002 port is allowed to bind?

@maryna.cherniavska
Thank you for your answer.
Thank you in advance.

I will answer your questions.

Also, it would be helpful to see how you rewrote that nginx ssl config file to get rid of the path in the workplace search URL?

The only thing I edited in the nginx configuration file was to add the reverse proxy setting.
Newly added the following

    location /workplacesearch/ {
        proxy_pass   http://127.0.0.1:3002/;
    }

And could you make sure to provide the full stacktrace of the error?

Which stacktrace would be helpful?

The latest error we are presenting now is the following error that appears when you press the [ConnectGoogleDrive] button.
This will be displayed in your browser.

Authorization Error
Error 400: invalid_request
Invalid parameter value for redirect_uri: Raw IP addresses not allowed: http://MY_SERVER:3002/ws/org/sources/google_drive/create

In order to get the URLs by domain needed for GoogleDrive integration, I reviewed the proxy settings by NGINX.
Specifically, I changed the value of ent_search.listen_host.

I have seted the configuration in NGINX, expecting to access WorkplaceSearch at https://MY_SERVER/workplacesearch.
However, it redirects to http://XXX.XXX.XXX.XXX:3002.
This is probably due to the value you specified for ent_search.external_url.

What settings do I need to make in ent_search.external_url to enable URLs by domain (https://MY_SERVER/workplacesearch)?
Also, are there any other settings I need to do?

The following is a more accurate description of the settings I have described.

• EnterpriseSearch

$ vi /usr/share/enterprise-search/config/enterprise-search.yml
# ---------------------------------- Secrets ----------------------------------
secret_management.encryption_keys: [REDACTED]

# ------------------------------- Elasticsearch -------------------------------
elasticsearch.host: http://XXX.XXX.XXX.XXX:9200
elasticsearch.username: [REDACTED]
elasticsearch.password: [REDACTED]
allow_es_settings_modification: true

# ------------------------------- Hosting & Network ---------------------------
ent_search.external_url: http://XXX.XXX.XXX.XXX:3002
#ent_search.listen_host: XXX.XXX.XXX.XXX # <- remove
ent_search.listen_host: 0.0.0.0          # <- add
ent_search.listen_port: 3002

• NGINX

# cat /etc/nginx/conf.d/ssl.conf
server {
    listen       443 ssl;
    server_name  MY_SERVER;

    ssl_certificate      [REDACTED];
    ssl_certificate_key  [REDACTED];

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    location /kibana/ {
        proxy_pass   http://127.0.0.1:5601/;
    }

    location /workplacesearch/ {
        root         /usr/share/enterprise-search;
        proxy_pass   http://127.0.0.1:3002/;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

@its-ogawa I meant the stacktrace from the application log, but you're already posting it above.

This thread is becoming complicated and I want to take a step back. Let's make sure that all these are checked:

1. You have your app deployed to somewhere (not on localhost I assume) that has a public IP and the port 3002 is exposed/available.
2. You have nginx to provide a hostname (MY_SERVER) instead of an IP. This hostname is what you gave to the Google Oauth App.
3. Enterprise Search config has the same URL:

ent_search.external_url: http://MY_SERVER
ent_search.listen_host: 0.0.0.0
ent_search.listen_port: 3002

4. The previous app has been stopped (just kill the process)
5. You're running the script with no parameters (reload is not a valid command):

bin/enterprise-search

Is that all correct?