User_bundle from internal Artifactory problem

Zerobot · February 3, 2021, 8:04am

Hi!

I'm trying to add a custom cacerts.zip User_Bundle to my ELK deployment in our ECE.
Elasticsearch is bootlooping and the reason is an untrusted certificate.

    "elasticsearch": {
      "user_bundles": [
       {
        "elasticsearch_version": "7.*",
        "name": "ldap-cert",
        "url": "https://<artifactory_address>/cacerts.zip"
      }
    ],
    "version": "7.10.2"
   },

My problem is - the certificate of artificatory is signed by my company's CA, I can't do much about that.
I'm able to download this bundle on the VM ECE is installed on but I can't from inside of Elasticsearch containers.

Is there any way to ignore cert verification like wget does?

wget --no-check-certificate

Alex_Piggott · February 3, 2021, 1:47pm

Unfortunately this is a known issue

The workarounds until we fix it (there are plans, but no ETA) are:

Run an nginx container on each allocator that will proxy to the artifactory
(not supported (*)) unzip the stackpack, add --no-check-certificate to the wget in elasticsearch.sh, rezip, and re-upload

Apologies - we appreciate neither workaround is great

(*) in the sense that issues with a custom stackpack might come down to "does it fail in the same way with the supported stackpack"

system · February 26, 2021, 11:32am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.