Curator can't connect to Elasticsearch via SSL

Curator can’t connect to Elasticsearch anymore since Searchgeard was installed.

Elasticsearch Version: 5.2.1

curator --version

curator, version 4.2.6

curator-config:

client:
hosts:
- 127.0.0.1
port: 9200
use_ssl: True
certificate: root-ca.pem

client_cert: chain.pem

client_key: kirk.pem

ssl_no_validate: False

``

Error when executing curator:

Traceback (most recent call last):
File “/usr/local/bin/curator”, line 11, in
sys.exit(cli())
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 722, in call
return self.main(*args, **kwargs)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 697, in main
rv = self.invoke(ctx)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 535, in invoke
return callback(*args, **kwargs)
File “/usr/local/lib/python2.7/dist-packages/curator/cli.py”, line 166, in cli
client = get_client(**client_args)
File “/usr/local/lib/python2.7/dist-packages/curator/utils.py”, line 603, in get_client
‘Error: {0}’.format(e)
elasticsearch.exceptions.ElasticsearchException: Unable to create client connection to Elasticsearch. Error: ConnectionError(error return without exception set) caused by: SystemError(error return without exception set)

``

Is there a solution to fix this?

Other threads here and elastic forum provided no successful solution.

Thanks in advance,

Chris

The command

curl --insecure -E ./chain.pem --key ./kirk.pem -XPUT ‘https://localhost:9200/_snapshot/elk5-2-1-dev-backup/snapshot_1?wait_for_completion=true

``

works fine, but working curator would be appreciated for excluding searchguard-index.

Restoring with explicitly listing all other indices would be pain.

Are you using the snapshot user?

···

On Friday, 6 October 2017 13:53:30 UTC+1, christophe...@gmail.com wrote:

The command

curl --insecure -E ./chain.pem --key ./kirk.pem -XPUT ‘https://localhost:9200/_snapshot/elk5-2-1-dev-backup/snapshot_1?wait_for_completion=true

``

works fine, but working curator would be appreciated for excluding searchguard-index.

Restoring with explicitly listing all other indices would be pain.

I’ve created the role sg_snapshot_restore and mapped it to the admin user, but found no way to configure curator to use this account.

···

On Monday, October 9, 2017 at 4:08:40 PM UTC+2, anthony...@actual-experience.com wrote:

Are you using the snapshot user?

On Friday, 6 October 2017 13:53:30 UTC+1, christophe...@gmail.com wrote:

The command

curl --insecure -E ./chain.pem --key ./kirk.pem -XPUT ‘https://localhost:9200/_snapshot/elk5-2-1-dev-backup/snapshot_1?wait_for_completion=true

``

works fine, but working curator would be appreciated for excluding searchguard-index.

Restoring with explicitly listing all other indices would be pain.

There is a way.

In your curator config, load it in as follows(You may have different SSL settings)

client:

hosts:

  • elastic-master-01.x

  • elastic-master-02.x

port: 9200

url_prefix:

use_ssl: True

certificate: ‘/etc/elasticsearch/elastic-master-01.x/ca-bundle.pem’

client_cert: ‘/etc/elasticsearch/elastic-master-01.x/elastic-admin.pem’

client_key: ‘/etc/elasticsearch/elastic-master-01.x/elastic-admin.key.pem’

ssl_no_validate: False (you can use true if you have ssl problems)

http_auth: admin:x

timeout: 30

master_only: False

···

On Tuesday, 10 October 2017 08:32:54 UTC+1, christophe...@gmail.com wrote:

I’ve created the role sg_snapshot_restore and mapped it to the admin user, but found no way to configure curator to use this account.

On Monday, October 9, 2017 at 4:08:40 PM UTC+2, anthony...@actual-experience.com wrote:

Are you using the snapshot user?

On Friday, 6 October 2017 13:53:30 UTC+1, christophe...@gmail.com wrote:

The command

curl --insecure -E ./chain.pem --key ./kirk.pem -XPUT ‘https://localhost:9200/_snapshot/elk5-2-1-dev-backup/snapshot_1?wait_for_completion=true

``

works fine, but working curator would be appreciated for excluding searchguard-index.

Restoring with explicitly listing all other indices would be pain.

0 2 * * * /usr/local/bin/curator --config /root/config.yml /root/action.yml

^ This is how you pass the config.

···

On Tuesday, 10 October 2017 08:53:55 UTC+1, anthony...@actual-experience.com wrote:

There is a way.

In your curator config, load it in as follows(You may have different SSL settings)

client:

hosts:

  • elastic-master-01.x
  • elastic-master-02.x

port: 9200

url_prefix:

use_ssl: True

certificate: ‘/etc/elasticsearch/elastic-master-01.x/ca-bundle.pem’

client_cert: ‘/etc/elasticsearch/elastic-master-01.x/elastic-admin.pem’

client_key: ‘/etc/elasticsearch/elastic-master-01.x/elastic-admin.key.pem’

ssl_no_validate: False (you can use true if you have ssl problems)

http_auth: admin:x

timeout: 30

master_only: False

On Tuesday, 10 October 2017 08:32:54 UTC+1, christophe...@gmail.com wrote:

I’ve created the role sg_snapshot_restore and mapped it to the admin user, but found no way to configure curator to use this account.

On Monday, October 9, 2017 at 4:08:40 PM UTC+2, anthony...@actual-experience.com wrote:

Are you using the snapshot user?

On Friday, 6 October 2017 13:53:30 UTC+1, christophe...@gmail.com wrote:

The command

curl --insecure -E ./chain.pem --key ./kirk.pem -XPUT ‘https://localhost:9200/_snapshot/elk5-2-1-dev-backup/snapshot_1?wait_for_completion=true

``

works fine, but working curator would be appreciated for excluding searchguard-index.

Restoring with explicitly listing all other indices would be pain.

http_auth was missing in my config, now it works.
Thank you very much!

···

On Tuesday, October 10, 2017 at 9:55:33 AM UTC+2, anthony...@actual-experience.com wrote:

0 2 * * * /usr/local/bin/curator --config /root/config.yml /root/action.yml

^ This is how you pass the config.

On Tuesday, 10 October 2017 08:53:55 UTC+1, anthony...@actual-experience.com wrote:

There is a way.

In your curator config, load it in as follows(You may have different SSL settings)

client:

hosts:

  • elastic-master-01.x
  • elastic-master-02.x

port: 9200

url_prefix:

use_ssl: True

certificate: ‘/etc/elasticsearch/elastic-master-01.x/ca-bundle.pem’

client_cert: ‘/etc/elasticsearch/elastic-master-01.x/elastic-admin.pem’

client_key: ‘/etc/elasticsearch/elastic-master-01.x/elastic-admin.key.pem’

ssl_no_validate: False (you can use true if you have ssl problems)

http_auth: admin:x

timeout: 30

master_only: False

On Tuesday, 10 October 2017 08:32:54 UTC+1, christophe...@gmail.com wrote:

I’ve created the role sg_snapshot_restore and mapped it to the admin user, but found no way to configure curator to use this account.

On Monday, October 9, 2017 at 4:08:40 PM UTC+2, anthony...@actual-experience.com wrote:

Are you using the snapshot user?

On Friday, 6 October 2017 13:53:30 UTC+1, christophe...@gmail.com wrote:

The command

curl --insecure -E ./chain.pem --key ./kirk.pem -XPUT ‘https://localhost:9200/_snapshot/elk5-2-1-dev-backup/snapshot_1?wait_for_completion=true

``

works fine, but working curator would be appreciated for excluding searchguard-index.

Restoring with explicitly listing all other indices would be pain.

maybe this helps:
https://github.com/floragunncom/search-guard/issues/401#issuecomment-337063060

···

Am 06.10.2017 um 12:09 schrieb christopher.vonanhalt@gmail.com:

Curator can't connect to Elasticsearch anymore since Searchgeard was installed.

Elasticsearch Version: 5.2.1

curator --version
curator, version 4.2.6

curator-config:
client:
  hosts:
    - 127.0.0.1
  port: 9200
  use_ssl: True
  certificate: root-ca.pem
# client_cert: chain.pem
# client_key: kirk.pem
  ssl_no_validate: False

Error when executing curator:

Traceback (most recent call last):
  File "/usr/local/bin/curator", line 11, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/curator/cli.py", line 166, in cli
    client = get_client(**client_args)
  File "/usr/local/lib/python2.7/dist-packages/curator/utils.py", line 603, in get_client
    'Error: {0}'.format(e)
elasticsearch.exceptions.ElasticsearchException: Unable to create client connection to Elasticsearch. Error: ConnectionError(error return without exception set) caused by: SystemError(error return without exception set)

Is there a solution to fix this?

Other threads here and elastic forum provided no successful solution.

Thanks in advance,
Chris

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/7c860a2f-42fe-48d4-a5e4-efcfa28cc52d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.