Selfhosted Sharepoint Connector and self-signed Certs

Hi everyone,
I run ES 8.16.1 secured as to the documentation. Downloaded the source for the sharepoint connector and did a clean install.
My config.yml looks like this:

connectors:
-
  connector_id: "cLzelZMBUWuJQBqZqfS4"
  service_type: "sharepoint_server"
  api_key: "b2d6ZWxaTUJLY282ZFJhUXF2d2c6TDQ0Uk9ScGdRc0dubWRTTFBubjhPQQ=="

elasticsearch:
  host: "https://172.17.20.96:9200"
  api_key: "b2d6ZWxaTUJLY282ZFJhUXF2d2c6TDQ0Uk9ScGdRc0dubWRTTFBubjhPQQ=="
  elasticsearch.ssl: true
  elasticsearch.verify_certs: true
  elasticsearch.ca_certs: "/root/connectors/certs/http_ca.crt"

The cert is copied from my first Node. When I run "make run", I get the
error:

make run
python3 -m venv .venv
.venv/bin/pip install --upgrade pip
Requirement already satisfied: pip in ./.venv/lib64/python3.12/site-packages (24.3.1)
.venv/bin/pip install --upgrade setuptools
Requirement already satisfied: setuptools in ./.venv/lib64/python3.12/site-packages (75.6.0)
.venv/bin/pip-licenses --format=plain-vertical --with-license-file --no-license-path > NOTICE.txt
Due to the length of these fields, this option is best paired with --format=json.
.venv/bin/elastic-ingest
[FMWK][09:48:35][INFO] Running connector service version 9.0.0
[FMWK][09:48:35][INFO] Loading config from /root/connectors/connectors/../config.yml
[FMWK][09:48:35][INFO] Running preflight checks
[FMWK][09:48:35][INFO] Waiting for Elasticsearch at https://172.17.20.96:9200 (so far: 0 secs)
[FMWK][09:48:35][ERROR] Could not connect to the Elasticsearch server
[FMWK][09:48:35][ERROR] Cannot connect to host 172.17.20.96:9200 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)')]

Can anybody point out, what's going wrong!? Thanks in advance

Push
Anything missing?

@fal77 just confirming, is the main post's configuration still unchanged? Because it appears that there are two elasticsearch keys in the configuration, when there should be one. The cert values are effectively double-nested under elasticsearch.elasticsearch.*.

Can you try with this?

elasticsearch:
  host: "https://your-host:9200"
  api_key: <REDACTED>
  ssl: true
  verify_certs: true
  ca_certs: "/root/connectors/certs/http_ca.crt"

Also, be sure to rotate your API key if this isn't a local dev env. Sharing it here means anyone can use it.

@nfeekery
Hi Navarone,
thanks for looking in this and no worries :slight_smile: It is a local dev environment and the api-key has expired immediately after I posted it.
You are right, the cert values where double-nested ... my mistake. But even after changing this, the error remains.

Glad to know they're dev credentials :slight_smile:

In that case, can you confirm that the cert itself works with Elasticsearch?

curl -H "Authorization: ApiKey $API_KEY" --ca-cert /root/connectors/certs/http_ca.crt https://172.17.20.96:9200/

No, it doesn't work ... same error message as above but this was the missing hint I needed :slight_smile: It is not the http_ca.crt which was required but the ca.crt.
Thanks again for your help!!!

1 Like