Curator with Search Guard and SSL guide


I have successfully set up ELK stack with search guard, however when I try to use curator to manage indices I am unable to get it to connect.

I’m using Elasticsearch version 6.2.1 and SG version 6

My curator config is as follows:


Remember, leave a key empty if there is no value. None will be a string,

not a Python “NoneType”

port: 9200
use_ssl: True
certificate: ‘C:\elastic\elasticsearch-6.2.1\config\cert\Star Financial Systems UAT ELK Certificate Authority.pem’
client_cert: ‘C:\elastic\elasticsearch-6.2.1\config\cert\’
client_key: ‘C:\elastic\elasticsearch-6.2.1\config\cert\’
ssl_no_validate: True
timeout: 30
master_only: False

loglevel: INFO
logfile: “F:/ElkStackLogs/curator.log”
logformat: default


However when running curator, I encounter the following error:

urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x00000080C3863C88>: Failed to establish a new connection: [WinError 10061] No connection could be made because the target machine actively refused it


If I change the URL to the internal IP of the Elasticsearch instance,, I receive this error instead:

urllib3.exceptions.SSLError: [SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:833)


Would somebody be able to point me in the direction of what I’m doing wrong? I’ve heard that maybe I have to configure roles for curator but I’m unsure what permissions they should have. Alternatively, if someone knows of a guide to setting up curator to work with SearchGuard it would be greatly appreciated.

Many Thanks,

Your config should work, but is probably unsecure:

  1. you’d rather hit the FQDN of the elasticsearch node that matches the server’s certivicate’s CN and set ssl_no_validate to False
  2. you should not use the admin certificate for curator: if there’s a bug, or the config is wrong, then curator could delete everything
  3. you should therefore generate a specific certificate for curator, and add a role with sufficient permissions to do achieve what your actions.yaml contains

Now as for the reason your curator fails to connect:
Can you successfully connect to elasticsearch using curl --key/–cert?