Remote Client not able to connect to Elasticsearch Cluster via SSL in place


I am using Elasticsearch version 7.8.0 with 5 node cluster. This cluster has SSL enabled and user auth security enabled too.

For inter-commmunication port used is 9300.

I am using external client [ Oracle Goldengate ] to connect to Elasticsearch cluster. It connects on PORT 9300.

When connection happens from client to ES Cluster , in ES Logfile i see below error :

[2021-05-12T06:16:40,835][WARN ][o.e.t.TcpTransport       ] [node-2] exception caught on transport layer [Netty4TcpChannel{localAddress=, remoteAddress=/XX.XX.XX.XX:24876}], closing connection
io.netty.handler.codec.DecoderException: Empty client certificate chain

At client Side , I have specified below params for certificate: 

Could you please help me to fix this ...

Which version of Goldengate are you using?
The latest version supports the Transport Client (port 9300) and the Rest Client (port 9200).

We (Elastic) have deprecated the transport client, so you should think about switching to use the Rest client with Goldengate if you can.

Have you tried using the connection properties supported by Goldengate (e.g.

Goldengate Version
We are using Transport Client 9300

For which version this is deprecated [ My elasticsearch version is 7.8.0 ]

Without SSL and Authentication in place , Goldengate works perfectly fine and does inserts data in Elasticsearch indexes as expected.


Yes I have tried that too...
FILE : elasticsearch6x.props


## Handler properties for Elasticsearch 6.x and 7.0.0

# For ES 6.x and 7.0.0 connectivity
javawriter.bootoptions=-Xmx4096m -Xms4096m -XX:+UseG1GC -XX:MaxGCPauseMillis=50 -XX:+ParallelRefProcEnabled -XX:ParallelGCThreads=8 -XX:ConcGCThreads=2 -XX:InitiatingHeapOccupancyPercent=75 -Djava.class.path=.:ggjava/ggjava.jar:./dirprm

## SSL for ES

I have copied "elastic-certificates.p12" from Elasticsearch Cluster.

During this certificate creation , I did included our Goldengate Server IP Address too.

Still facing same error

Also in here if you check
* NSS: client certificate not found (nickname not specified)

curl -v -key /mnt/elasticsearch-7.8.0/config/certs/elastic-certificates.p12  -cacert /mnt/elasticsearch-7.8.0/config/certs/elastic-stack-ca.p12 -cert /mnt/elasticsearch-7.8.0/config/certs/elastic-certificates.p12
* About to connect() to port 9300 (#0)
*   Trying
* Connected to ( port 9300 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL peer cannot verify your certificate.
* Closing connection 0
curl: (58) NSS: client certificate not found (nickname not specified)
* <url> malformed
* Closing connection -1
curl: (3) <url> malformed
* <url> malformed
* Closing connection -1
curl: (3) <url> malformed
* <url> malformed
* Closing connection -1
curl: (3) <url> malformed

While using elasticsearch-certutil cert

do i need to use any option for CLIENT one ?

As stated earlier , I have included Goldengate [ Client ] IP Address while creating certificate.

Its Either Certificate or some parameter settings mistaken at Client side...

Could you please help me in this ...

Now I am getting below Error :

java.lang.RuntimeException: ElasticsearchSecurityException[failed to load SSL configuration []]; nested: ElasticsearchException[failed to initialize SSL TrustManager]; nested: CertificateParsingException[signed fields invalid];

I added new parameter :

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.