When tying to add confluence server/jira server I keep getting ssl verification error, problem is I can't find any setting in the documentation for a truststore, or certificate_authorities.
I have looked at: Configuration | Elastic Enterprise Search documentation [8.4] | Elastic
And looked for maybe a JVM_OPTS parameter that I could use but couldn't figure out which parameters can be used.
Hi @shamorai
The best solution is to have your certs signed by an official certificate authority. However, if that's not possible at this time, you can configure your OpenSSL environment to find a non-default trust store or certificate. For example, I've used:
export SSL_CERT_FILE=/Users/seanstory/Desktop/cert.pem
before in order to work around a self-signed certificate for a development content source.
See: /docs/man1.1.1/man3/SSL_CTX_set_default_verify_paths.html
Hopefully this helps!
Running enterprise-search v8.2.3
My certificate is signed by our "official ca" In our intranet.
I can't seem to find anyway to add a ca certificate.
Is the SSL_CERT_FILE env variable mentioned in any of the Documentation for enterprise-search, or that the jvm uses the default openssl cacerts?
after setting the env variable, curl https://jira-test.intranet:8443 works with no errors.
But when trying to connect to jira server I'm still getting:
Exception: Faraday::SSLError: certificate verify failed
from uri:classloader:/META_INF/jruby.home/lib/ruby/stdlib/net/http.rb:934:in 'do_start'
...
...
from /usr/share/enterprise-search/lib/war/vendor/fishwife-servlet/lib/fishwife/rack_servlet.rb:74:in 'service'
Hi @shamorai
But when trying to connect to jira server I'm still getting:
Exception: Faraday::SSLError: certificate verify failed
Have you added your root certificate into the JVM keystore? See guides like: How to import a CA root certificate into the JVM trust store | Connect2id
Is the SSL_CERT_FILE env variable mentioned in any of the Documentation for enterprise-search, or that the jvm uses the default openssl cacerts?
I don't believe this is in our documentation, no. I'll flag this as an area where we can improve our SSL guide. I expect that most customers are using root certificates that are signed by an external CA for their content sources, and therefore do not run into this issue - it's more common to use self-signed certs or internal CA certs for non-user-facing (or few user facing) services like Elasticsearch and Enterprise Search. But your use case is a valid one.
I have tried adding javax.net.ssl.trustStore, javax.net.ssl.trustStorePassword and javax.net.ssl.trustStoreType to the JAVA_OPTS env variable but had no luck.
I will try importing my cacerts to the default truststore location and give an update
I thought it's common for confluence server and jira server which are on prem services to have certificates which are signed by the intranet's ca.
Updating, on the topic.
I have not been able to find a way to import cacerts as of yet.
However I was able to disable certificate verification entirely by editing /usr/share/enterprise-search/lib/war/gems/gems/faraday-net_http-1.0.1/lib/faraday/adapter/net_http.rb directly.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.