Hi,
Have a question regarding the HTTP/REST layer SSL with es
Background:
We are using the latest stable release of search guard for securing elasticsearch. Once es is secure, we use elasticsearch-spark to load data into elasticsearch from HDFS. When we have not enabled HTTPS for rest layer, the data gets indexed just fine. But when we try to index/load data when HTTPS is enabled for REST layer, it gives below error. This occurs because it lack a shared certificate root, if all boxes had self-signed certificates with a common root it would work I think. But it’s not practical for us to do that in dev/staging environment.
org.elasticsearch.hadoop.rest.EsHadoopTransportException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.elasticsearch.hadoop.rest.NetworkClient.execute(NetworkClient.java:116) at org.elasticsearch.hadoop.rest.RestClient.execute(RestClient.java:438) at org.elasticsearch.hadoop.rest.RestClient.execute(RestClient.java:418) at org.elasticsearch.hadoop.rest.RestClient.execute(RestClient.java:422) at org.elasticsearch.hadoop.rest.RestClient.get(RestClient.java:122) at org.elasticsearch.hadoop.rest.RestClient.esVersion(RestClient.java:568) at org.elasticsearch.hadoop.rest.InitializationUtils.discoverEsVersion(InitializationUtils.java:178) … 38 more Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.jav
Question
Is there anyway, we can turn this off (similar to what we do with curl -k command)
This is our elasticsearch.yml file
searchguard.authcz.admin_dn:
- CN=zzz, OU=zz, O=zz, L=zz, C=zz
searchguard.ssl.http.enable_openssl_if_available: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.enabled_protocols:
-
TLSv1
-
SSLv3
searchguard.ssl.http.enforce_hostname_verification: false
searchguard.ssl.http.keystore_alias: alias
searchguard.ssl.http.keystore_filepath: keystore
searchguard.ssl.http.keystore_password: password
searchguard.ssl.http.resolve_hostname: false
#searchguard.ssl.http.truststore_alias: alias
#searchguard.ssl.http.truststore_filepath: truststore
#searchguard.ssl.http.truststore_password: password
searchguard.ssl.http.clientauth_mode: NONE
searchguard.ssl.transport.enable_openssl_if_available: true
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.keystore_alias: alias
searchguard.ssl.transport.keystore_filepath: keystore
searchguard.ssl.transport.keystore_password: password
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.transport.truststore_alias: alias
searchguard.ssl.transport.truststore_filepath: keystore
searchguard.ssl.transport.truststore_password: password
security.manager.enabled: true
searchguard.ssl.transport.keystore_type: JKS
searchguard.ssl.transport.truststore_type: JKS
searchguard.ssl.http.keystore_type: JKS
searchguard.ssl.http.truststore_type: JKS
We use this OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
And Java 8 right now is not an option for us as we have othe programs that depend on Java 7.
Thanks for your help
Jainin Shah