SSL and org.elasticsearch.transport.NodeDisconnectedException

Elastic Stack Elasticsearch
1

I have an es_client (java/dropwizard) application. It communicates with the
elasticsearch just fine over plaintext connection.

I have followed the instructions at
https://github.com/sonian/elasticsearch-jetty to set up SSL for es.

However when I start my es_client it reports every 5 seconds the following:

INFO [2014-01-08 23:02:14,814] org.elasticsearch.client.transport:
[Karolina Dean] failed to get node info for
[#transport#-1][inet[localhost/127.0.0.1:9443]], disconnecting... !
org.elasticsearch.transport.NodeDisconnectedException:
[][inet[localhost/127.0.0.1:9443]][cluster/nodes/info] disconnected

How can I go about figuring this one out?

Thanks,

Maciej

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/bff6a325-ab42-48ef-a6f4-bc7f9c274d1a%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

2

On Wednesday, January 8, 2014 5:19:10 PM UTC-6, Maciej Stoszko wrote:

I have an es_client (java/dropwizard) application. It communicates with
the elasticsearch just fine over plaintext connection.

I have followed the instructions at
GitHub - sonian/elasticsearch-jetty to set up SSL for es.

However when I start my es_client it reports every 5 seconds the following:

INFO [2014-01-08 23:02:14,814] org.elasticsearch.client.transport:
[Karolina Dean] failed to get node info for
[#transport#-1][inet[localhost/127.0.0.1:9443]], disconnecting... !
org.elasticsearch.transport.NodeDisconnectedException:
[inet[localhost/127.0.0.1:9443]][cluster/nodes/info] disconnected

How can I go about figuring this one out?

Thanks,

Maciej

Actually digging around a bit more, I think I should revise my question:
Is it currently possible to have JAVA API client talking to Elasticsearch
via SSL.
I see that Add SSL support to Netty transport layer for Client/Node-to-Node communication by tlrx · Pull Request #2105 · elastic/elasticsearch · GitHub (Add
SSL support to Netty transport layer for Client/Node-to-Node communication)
was rejected.
Maybe it is simply a feature which does not (yet) exist.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/3933c63d-9763-4892-977b-733c0407e140%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

3

jetty plugin replace http layer (9200) not the transport layer (9300).
Transport Client uses transport layer (9300).

--
David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet | @elasticsearchfr

Le 9 janvier 2014 at 02:02:48, Maciej Stoszko (maciek100@gmail.com) a écrit:

On Wednesday, January 8, 2014 5:19:10 PM UTC-6, Maciej Stoszko wrote:
I have an es_client (java/dropwizard) application. It communicates with the elasticsearch just fine over plaintext connection.

I have followed the instructions at https://github.com/sonian/elasticsearch-jetty to set up SSL for es.

However when I start my es_client it reports every 5 seconds the following:

INFO [2014-01-08 23:02:14,814] org.elasticsearch.client.transport: [Karolina Dean] failed to get node info for [#transport#-1][inet[localhost/127.0.0.1:9443]], disconnecting... ! org.elasticsearch.transport.NodeDisconnectedException: [][inet[localhost/127.0.0.1:9443]][cluster/nodes/info] disconnected

How can I go about figuring this one out?

Thanks,

Maciej

Actually digging around a bit more, I think I should revise my question:
Is it currently possible to have JAVA API client talking to Elasticsearch via SSL.
I see that https://github.com/elasticsearch/elasticsearch/pull/2105 (Add SSL support to Netty transport layer for Client/Node-to-Node communication) was rejected.
Maybe it is simply a feature which does not (yet) exist.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/3933c63d-9763-4892-977b-733c0407e140%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/etPan.52ce5336.374a3fe6.1449b%40MacBook-Air-de-David.local.
For more options, visit https://groups.google.com/groups/opt_out.

4

Thanks David,
Does it mean that, at least currently, there is no avenue to secure transport layer with SSL?
Maciej

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/9a48efe8-143f-49ab-b216-7cca6f95f25e%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

5

We don't have that at this time.
Basically, elasticsearch nodes are very often in a backend layer so securing transport is not something really needed as it comes also with a cost.

Could you secure your transmissions on a network level?

--
David :wink:
Twitter : @dadoonet / @elasticsearchfr / @scrutmydocs

Le 9 janv. 2014 à 13:30, Maciej Stoszko maciek100@gmail.com a écrit :

Thanks David,
Does it mean that, at least currently, there is no avenue to secure transport layer with SSL?
Maciej

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/9a48efe8-143f-49ab-b216-7cca6f95f25e%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/A5E112F7-2C92-4C1A-A320-5973EE89757A%40pilato.fr.
For more options, visit https://groups.google.com/groups/opt_out.

6

i try to revive this thread, iam searching for something really similar to
this topic.

we know that transport layer 9300 should stay in the backend in a special
DMZ so it shouldnt need a secure application transport layer ( could be
enought an ipsec tunnel ) , but how can we secure the http layer ? i mean
we send documents with logstash from toons of source around the world , how
Logstash can send documents with Https enabled ? ( From Elasticsearch side
i can setup e nginx istance that has load balancing and reverse proxy
activated obviusly with https enabled and a self signed certificate, but i
didnt find any https or ssl support for Logstash and his Elasticsearch
output plugin ).

VPN isent a good choice only if there nothing better..

Regards
Stefano

Il giorno giovedì 9 gennaio 2014 14:31:32 UTC+1, David Pilato ha scritto:

We don't have that at this time.
Basically, elasticsearch nodes are very often in a backend layer so
securing transport is not something really needed as it comes also with a
cost.

Could you secure your transmissions on a network level?

--
David :wink:
Twitter : @dadoonet / @elasticsearchfr / @scrutmydocs

Le 9 janv. 2014 à 13:30, Maciej Stoszko <maci...@gmail.com <javascript:>>
a écrit :

Thanks David,
Does it mean that, at least currently, there is no avenue to secure
transport layer with SSL?
Maciej

--
You received this message because you are subscribed to the Google
Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/9a48efe8-143f-49ab-b216-7cca6f95f25e%40googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/cedc5914-4e17-43c0-a78c-075c341a4fa0%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

7

If you want HTTPS with ES from logstash, you have several options:

Take care that nobody can read your client certificates / Java keystores
while you create and transfer them to the nodes.

Note, adding HTTPS to each node is much more complex and error-prone than
securing ES in a private network with a HTTPS reverse proxy.

A correct setup of the environment is essential to maintain a minimum of
security.

Jörg

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAKdsXoHW3p51bYf673g%3D8%2Br%2By03v1GJ7p8y9y7BO%3DEPqnjBGjA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

8

A better SSL server/client example is
https://github.com/netty/netty/tree/3/src/main/java/org/jboss/netty/example/securechat

Jörg

On Sat, Jan 11, 2014 at 1:57 PM, joergprante@gmail.com <
joergprante@gmail.com> wrote:

like in this example
http://svn.apache.org/repos/asf/avro/trunk/lang/java/ipc/src/test/java/org/apache/avro/ipc/TestNettyServerWithSSL.java

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAKdsXoHisowtP0R%2BDohp7EsYAGxyM8NxoBbCODoaf%2BWaQ4f_Ug%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

9

my Choice could be a reverse proxy with https enabled that balance traffic
to all the ES node that are deplyed in DMZ but there isent an option of
Logstash output plugin that let me send https traffic or am i in error?

2014/1/11 joergprante@gmail.com joergprante@gmail.com

A better SSL server/client example is
https://github.com/netty/netty/tree/3/src/main/java/org/jboss/netty/example/securechat

Jörg

On Sat, Jan 11, 2014 at 1:57 PM, joergprante@gmail.com <
joergprante@gmail.com> wrote:

like in this example
http://svn.apache.org/repos/asf/avro/trunk/lang/java/ipc/src/test/java/org/apache/avro/ipc/TestNettyServerWithSSL.java

--
You received this message because you are subscribed to a topic in the
Google Groups "elasticsearch" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/elasticsearch/mceD4V2uHHI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/CAKdsXoHisowtP0R%2BDohp7EsYAGxyM8NxoBbCODoaf%2BWaQ4f_Ug%40mail.gmail.com
.

For more options, visit https://groups.google.com/groups/opt_out.

--
Best Regards, Stefano.

http://www.linkedin.com/profile/view?id=205466795

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAFg_quc%3Dt-zgYfyG_wAi_J9y0wx%3DK-sJmJt1hFtj9WGa8y5naQ%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

10

my production choice is that of using OpenVPN site-to-site configuration ,
it adds more resoruce consumption un server but seems the fastest and
stronghest way for link thousands of logstash istance to a Cloud ES
solution.

2014/1/11 stefano ruggiero stefano.secure@gmail.com

my Choice could be a reverse proxy with https enabled that balance
traffic to all the ES node that are deplyed in DMZ but there isent an
option of Logstash output plugin that let me send https traffic or am i in
error?

2014/1/11 joergprante@gmail.com joergprante@gmail.com

A better SSL server/client example is

https://github.com/netty/netty/tree/3/src/main/java/org/jboss/netty/example/securechat

Jörg

On Sat, Jan 11, 2014 at 1:57 PM, joergprante@gmail.com <
joergprante@gmail.com> wrote:

like in this example
http://svn.apache.org/repos/asf/avro/trunk/lang/java/ipc/src/test/java/org/apache/avro/ipc/TestNettyServerWithSSL.java

--
You received this message because you are subscribed to a topic in the
Google Groups "elasticsearch" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/elasticsearch/mceD4V2uHHI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/CAKdsXoHisowtP0R%2BDohp7EsYAGxyM8NxoBbCODoaf%2BWaQ4f_Ug%40mail.gmail.com
.

For more options, visit https://groups.google.com/groups/opt_out.

--
Best Regards, Stefano.

http://www.linkedin.com/profile/view?id=205466795

--
Best Regards, Stefano.

http://www.linkedin.com/profile/view?id=205466795

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAFg_qufhZfPchjPNs_UPGypMEXZ86CU5RV3-uuhhNEza9cJaWA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.