ssl.NotSslRecordException

Elastic Stack Elasticsearch
1

I am using elasticsearch version 7.1.0 and trying to connect three nodes with security function, but I receive the following error.
It works well locally, but it's a problem at kubernetes.

io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record

elasticsearch is running, but after login is successful in kibana, it goes back to login screen.
My security settings are the same with the homepage of elasticsearch.

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.path: elastic-certificates.p12

Reference: https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-tls.html

How can I solve it?

2

when you have a http vs https mismatch, NotSslRecordException usually occurs. Check whether the request is https.

3

Could you put up a simple setup example for security?
I do not have access to the 9200 port because I set it up like a question.

4

Maybe you can disable the https to verify if the http request is causing the exception.

5

Yes. I left only the settings below.

network.bind_host: 0.0.0.0
network.publish_host: 0.0.0.0
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

It works fine locally,

In kubernetes, the following error occurs.
exception caught on transport layer [Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress.......
NotSslRecordException: not an SSL/TLS..............

I tried both of the following settings but it does not work.

discovery.seed_hosts:

discovery.seed_hosts:

In kibana, if login succeeds, it moves to login screen again.

6

What is this remote Address? Is it part of your k8s cluster?

From the 9300 port, it looks like it is another Elasticsearch node trying to connect to this cluster.
Do you perhaps have another ES cluster in your k8s cluster without TLS?

7

hi
Following is Elasticsearch Doc says:

org.elasticsearch.common.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:
Indicates that there was incoming plaintext traffic on an SSL connection. This typically occurs when a node is not configured to use encrypted communication and tries to connect to nodes that are using encrypted communication. Please verify that all nodes are using the same setting for  `xpack.security.transport.ssl.enabled` .

As @TimV said, make sure this remote address is the node in your current cluster.

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.