ssl.NotSslRecordException

xodn0812 · May 31, 2019, 5:18am

I am using elasticsearch version 7.1.0 and trying to connect three nodes with security function, but I receive the following error.
It works well locally, but it's a problem at kubernetes.

io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record

elasticsearch is running, but after login is successful in kibana, it goes back to login screen.
My security settings are the same with the homepage of elasticsearch.

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.path: elastic-certificates.p12

Reference: https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-tls.html

How can I solve it?

wangqinghuan · May 31, 2019, 7:08am

when you have a http vs https mismatch, NotSslRecordException usually occurs. Check whether the request is https.

xodn0812 · June 3, 2019, 12:29am

Could you put up a simple setup example for security?
I do not have access to the 9200 port because I set it up like a question.

wangqinghuan · June 3, 2019, 1:17am

Maybe you can disable the https to verify if the http request is causing the exception.

xodn0812 · June 3, 2019, 2:34am

Yes. I left only the settings below.

network.bind_host: 0.0.0.0
network.publish_host: 0.0.0.0
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

It works fine locally,

In kubernetes, the following error occurs.
exception caught on transport layer [Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress.......
NotSslRecordException: not an SSL/TLS..............

I tried both of the following settings but it does not work.

discovery.seed_hosts:

http://myIP

discovery.seed_hosts:

https://myIP

In kibana, if login succeeds, it moves to login screen again.

TimV · June 3, 2019, 2:50am

What is this remote Address? Is it part of your k8s cluster?

From the 9300 port, it looks like it is another Elasticsearch node trying to connect to this cluster.
Do you perhaps have another ES cluster in your k8s cluster without TLS?

wangqinghuan · June 3, 2019, 2:53am

hi
Following is Elasticsearch Doc says:

org.elasticsearch.common.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:
Indicates that there was incoming plaintext traffic on an SSL connection. This typically occurs when a node is not configured to use encrypted communication and tries to connect to nodes that are using encrypted communication. Please verify that all nodes are using the same setting for  `xpack.security.transport.ssl.enabled` .

As @TimV said, make sure this remote address is the node in your current cluster.

system · July 1, 2019, 2:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.