SSL issue when running ESRally to ES hosted in a diff server

Elastic Stack Elasticsearch
1

i am having difficulty runny ESrally Race. i have import the .crt and update-ca-certificates to pem. but when i run the command, i am getting ssl error.

Commands tried:

esrally race --track=acme --target-hosts=x.x.x.x:9200 --client-options="use_ssl:true,verify_certs:true,basic_auth_user:'elastic',basic_auth_password:'changeme'"

esrally race --track=acme --target-hosts=x.x.x.x:9200 --client-options="use_ssl:true,verify_certs:false,basic_auth_user:'elastic',basic_auth_password:'changeme'"

esrally race --track=acme --target-hosts=x.x.x.x:9200 --client-options="use_ssl:true,verify_certs:true"

esrally race --track=acme --target-hosts=x.x.x.x:9200 --client-options="use_ssl:true,verify_certs:false"

esrally race --track=acme --target-hosts=x.x.x.x:9200 --client-options="basic_auth_user:'elastic',basic_auth_password:'changeme'"

Errors:

[INFO] Race id is [42e651c0-bfe1-46a4-b6d3-a31b4f8bbbd0]
[ERROR] Cannot race. Traceback (most recent call last):
  File "~/.local/lib/python3.10/site-packages/esrally/actor.py", line 92, in guard
    return f(self, msg, sender)
  File "~/.local/lib/python3.10/site-packages/esrally/racecontrol.py", line 114, in receiveMsg_Setup
    self.coordinator.setup(sources=msg.sources)
  File "~/.local/lib/python3.10/site-packages/esrally/racecontrol.py", line 203, in setup
    ) = client.factory.cluster_distribution_version(hosts, client_options)
  File "~/.local/lib/python3.10/site-packages/esrally/client/factory.py", line 359, in cluster_distribution_version
    version = es.info()["version"]
  File "~/.local/lib/python3.10/site-packages/elasticsearch/_sync/client/utils.py", line 414, in wrapped
    return api(*args, **kwargs)
  File "~/.local/lib/python3.10/site-packages/elasticsearch/_sync/client/__init__.py", line 2296, in info
    return self.perform_request(  # type: ignore[return-value]
  File "~/.local/lib/python3.10/site-packages/esrally/client/synchronous.py", line 168, in perform_request
    info = self.transport.perform_request(method="GET", target="/", headers=request_headers)
  File "~/.local/lib/python3.10/site-packages/elastic_transport/_transport.py", line 328, in perform_request
    meta, raw_data = node.perform_request(
  File "~/.local/lib/python3.10/site-packages/elastic_transport/_node/_http_urllib3.py", line 197, in perform_request
    raise err from None
elastic_transport.TlsError: TLS error caused by: TlsError(TLS error caused by: SSLError([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1007)))
2

Hello! Thank you for your interest in Rally.

Python ignores system certificates by default, using update-ca-certificates won't have any effect. (That said, there's recent work that allows system stores to work: truststore · PyPI. But that would be a request for the Rally developers.)

Are you getting the same error in each case? For example, use_ssl:true,verify_certs:false,basic_auth_user:'elastic',basic_auth_password:'changeme'" should not fail that way, as it won't try to verify the certificate.

To rule out Rally, can you please verify that connecting with curl works?

curl -k -u elastic:changeme https://x.x.x.x:9200/

You could also try Python:

import requests
r = requests.get("https://x.x.x.x:9200", verify=False, auth=("elastic", "changeme"))
print(r.json())

(Both approaches disable certificate verification, but we can make it work later if you want to.)