python client cannot connect to Elasticsearch

Search Guard
1

test.py is like below, when I run it, it is always ConnectionError. curl is ok. (all keys are generated with example.sh, ELK and searchguard is 5.1 version)

from elasticsearch import Elasticsearch, RequestsHttpConnection
import ssl

SSL client authentication using client_cert and client_key

es = Elasticsearch(
[‘10.8.8.246:9200’],
http_auth=(‘admin’, ‘admin’),
port=9200,
use_ssl=True,
ssl_version=ssl.PROTOCOL_TLSv1_2,
ca_certs=‘./ca/chain-ca.pem’,
client_cert=‘./kirk.crtfull.pem.pem’,
client_key=‘./kirk.key.pem’
)

print(es.info())

[root@ip-10-8-8-246 example-pki-scripts]# python test.py
Traceback (most recent call last):
File “test.py”, line 21, in
print(es.info())
File “/usr/local/lib/python2.7/site-packages/elasticsearch/client/utils.py”, line 73, in _wrapped
return func(*args, params=params, **kwargs)
File “/usr/local/lib/python2.7/site-packages/elasticsearch/client/init.py”, line 222, in info
return self.transport.perform_request(‘GET’, ‘/’, params=params)
File “/usr/local/lib/python2.7/site-packages/elasticsearch/transport.py”, line 318, in perform_request
status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
File “/usr/local/lib/python2.7/site-packages/elasticsearch/connection/http_urllib3.py”, line 123, in perform_request
raise ConnectionError(‘N/A’, str(e), e)
elasticsearch.exceptions.ConnectionError: ConnectionError((‘Connection failed.’, CannotSendRequest())) caused by: ConnectionError((‘Connection failed.’, CannotSendRequest()))

[root@ip-10-8-8-246 example-pki-scripts]# curl --insecure -E ./kirk-signed.pem --key ./kirk.key.pem https://10.8.8.246:9200/_cat/indices?v
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open mycompany-apache-2017.01.15 egQUvOtnT_O8jiEuz06Luw 5 1 4 0 80.4kb 40.2kb

2

this is know to work: https://gist.github.com/floragunncom/9319a994ae09df64b2a173128f745ed2

Python (especially python 2) is a piece of .... regarding SSL/TLS support.
So we recommend python 3 and these packages:

pip3 requests
pip3 install cryptography
pip3 install pyopenssl ndg-httpsclient pyasn1

Then do a "urllib3.contrib.pyopenssl.inject_into_urllib3()" and it works like magic

see http://urllib3.readthedocs.io/en/latest/reference/urllib3.contrib.html
elastalert and search guard · Issue #605 · Yelp/elastalert · GitHub

···

Am 21.02.2017 um 23:27 schrieb Robert Chen <robertchen117@gmail.com>:

test.py is like below, when I run it, it is always ConnectionError. curl is ok. (all keys are generated with example.sh, ELK and searchguard is 5.1 version)

from elasticsearch import Elasticsearch, RequestsHttpConnection
import ssl

# SSL client authentication using client_cert and client_key
es = Elasticsearch(
    ['10.8.8.246:9200'],
    http_auth=('admin', 'admin'),
    port=9200,
    use_ssl=True,
    ssl_version=ssl.PROTOCOL_TLSv1_2,
    ca_certs='./ca/chain-ca.pem',
    client_cert='./kirk.crtfull.pem.pem',
    client_key='./kirk.key.pem'
)

print(es.info())

[root@ip-10-8-8-246 example-pki-scripts]# python test.py
Traceback (most recent call last):
  File "test.py", line 21, in <module>
    print(es.info())
  File "/usr/local/lib/python2.7/site-packages/elasticsearch/client/utils.py", line 73, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/elasticsearch/client/__init__.py", line 222, in info
    return self.transport.perform_request('GET', '/', params=params)
  File "/usr/local/lib/python2.7/site-packages/elasticsearch/transport.py", line 318, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/site-packages/elasticsearch/connection/http_urllib3.py", line 123, in perform_request
    raise ConnectionError('N/A', str(e), e)
elasticsearch.exceptions.ConnectionError: ConnectionError(('Connection failed.', CannotSendRequest())) caused by: ConnectionError(('Connection failed.', CannotSendRequest()))

[root@ip-10-8-8-246 example-pki-scripts]# curl --insecure -E ./kirk-signed.pem --key ./kirk.key.pem https://10.8.8.246:9200/_cat/indices?v
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open mycompany-apache-2017.01.15 egQUvOtnT_O8jiEuz06Luw 5 1 4 0 80.4kb 40.2kb

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/98601f16-827c-4377-96e5-f599c696fd86%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

3

Is there a workaround for users who are required to use python2?

···

On Wednesday, February 22, 2017 at 7:36:05 AM UTC-8, Search Guard wrote:

this is know to work: https://gist.github.com/floragunncom/9319a994ae09df64b2a173128f745ed2

Python (especially python 2) is a piece of … regarding SSL/TLS support.

So we recommend python 3 and these packages:

pip3 requests

pip3 install cryptography

pip3 install pyopenssl ndg-httpsclient pyasn1

Then do a “urllib3.contrib.pyopenssl.inject_into_urllib3()” and it works like magic

see http://urllib3.readthedocs.io/en/latest/reference/urllib3.contrib.html

https://github.com/Yelp/elastalert/issues/605

Am 21.02.2017 um 23:27 schrieb Robert Chen robert...@gmail.com:

test.py is like below, when I run it, it is always ConnectionError. curl is ok. (all keys are generated with example.sh, ELK and searchguard is 5.1 version)

from elasticsearch import Elasticsearch, RequestsHttpConnection

import ssl

SSL client authentication using client_cert and client_key

es = Elasticsearch(

['10.8.8.246:9200'],

http_auth=('admin', 'admin'),

port=9200,

use_ssl=True,

ssl_version=ssl.PROTOCOL_TLSv1_2,

ca_certs='./ca/chain-ca.pem',

client_cert='./kirk.crtfull.pem.pem',

client_key='./kirk.key.pem'

)

print(es.info())

[root@ip-10-8-8-246 example-pki-scripts]# python test.py

Traceback (most recent call last):

File “test.py”, line 21, in 

print([es.info](http://es.info)())

File “/usr/local/lib/python2.7/site-packages/elasticsearch/client/utils.py”, line 73, in _wrapped

return func(*args, params=params, **kwargs)

File “/usr/local/lib/python2.7/site-packages/elasticsearch/client/init.py”, line 222, in info

return self.transport.perform_request('GET', '/', params=params)

File “/usr/local/lib/python2.7/site-packages/elasticsearch/transport.py”, line 318, in perform_request

status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)

File “/usr/local/lib/python2.7/site-packages/elasticsearch/connection/http_urllib3.py”, line 123, in perform_request

raise ConnectionError('N/A', str(e), e)

elasticsearch.exceptions.ConnectionError: ConnectionError((‘Connection failed.’, CannotSendRequest())) caused by: ConnectionError((‘Connection failed.’, CannotSendRequest()))

[root@ip-10-8-8-246 example-pki-scripts]# curl --insecure -E ./kirk-signed.pem --key ./kirk.key.pem https://10.8.8.246:9200/_cat/indices?v

health status index uuid pri rep docs.count docs.deleted store.size pri.store.size

green open mycompany-apache-2017.01.15 egQUvOtnT_O8jiEuz06Luw 5 1 4 0 80.4kb 40.2kb


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/98601f16-827c-4377-96e5-f599c696fd86%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

4

I’m actually having a heck of a time trying to get the elasticsearch python module to work on a search-guarded cluster. I’ve tried both python2 and python3 without luck.

I can’t get either http basic auth, nor peer certs to work. I can get both methods to work with curl and logstash, but not with the python module. I’ve tried the above suggested methods, but nothing seems to work. Is there a working example I can use?

searchguard:
dynamic:
authc:
basic_internal_auth_domain:
enabled: true
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
clientcert_auth_domain:
enabled: true
order: 1
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop

``

···

On Monday, May 8, 2017 at 4:58:41 PM UTC-7, pixelrebel wrote:

Is there a workaround for users who are required to use python2?

On Wednesday, February 22, 2017 at 7:36:05 AM UTC-8, Search Guard wrote:

this is know to work: https://gist.github.com/floragunncom/9319a994ae09df64b2a173128f745ed2

Python (especially python 2) is a piece of … regarding SSL/TLS support.

So we recommend python 3 and these packages:

pip3 requests

pip3 install cryptography

pip3 install pyopenssl ndg-httpsclient pyasn1

Then do a “urllib3.contrib.pyopenssl.inject_into_urllib3()” and it works like magic

see http://urllib3.readthedocs.io/en/latest/reference/urllib3.contrib.html

https://github.com/Yelp/elastalert/issues/605

Am 21.02.2017 um 23:27 schrieb Robert Chen robert...@gmail.com:

test.py is like below, when I run it, it is always ConnectionError. curl is ok. (all keys are generated with example.sh, ELK and searchguard is 5.1 version)

from elasticsearch import Elasticsearch, RequestsHttpConnection

import ssl

SSL client authentication using client_cert and client_key

es = Elasticsearch(

['10.8.8.246:9200'],

http_auth=('admin', 'admin'),

port=9200,

use_ssl=True,

ssl_version=ssl.PROTOCOL_TLSv1_2,

ca_certs='./ca/chain-ca.pem',

client_cert='./kirk.crtfull.pem.pem',

client_key='./kirk.key.pem'

)

print(es.info())

[root@ip-10-8-8-246 example-pki-scripts]# python test.py

Traceback (most recent call last):

File “test.py”, line 21, in 

print([es.info](http://es.info)())

File “/usr/local/lib/python2.7/site-packages/elasticsearch/client/utils.py”, line 73, in _wrapped

return func(*args, params=params, **kwargs)

File “/usr/local/lib/python2.7/site-packages/elasticsearch/client/init.py”, line 222, in info

return self.transport.perform_request('GET', '/', params=params)

File “/usr/local/lib/python2.7/site-packages/elasticsearch/transport.py”, line 318, in perform_request

status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)

File “/usr/local/lib/python2.7/site-packages/elasticsearch/connection/http_urllib3.py”, line 123, in perform_request

raise ConnectionError('N/A', str(e), e)

elasticsearch.exceptions.ConnectionError: ConnectionError((‘Connection failed.’, CannotSendRequest())) caused by: ConnectionError((‘Connection failed.’, CannotSendRequest()))

[root@ip-10-8-8-246 example-pki-scripts]# curl --insecure -E ./kirk-signed.pem --key ./kirk.key.pem https://10.8.8.246:9200/_cat/indices?v

health status index uuid pri rep docs.count docs.deleted store.size pri.store.size

green open mycompany-apache-2017.01.15 egQUvOtnT_O8jiEuz06Luw 5 1 4 0 80.4kb 40.2kb


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/98601f16-827c-4377-96e5-f599c696fd86%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

5

bump

···

On Friday, May 12, 2017 at 5:19:30 PM UTC-4, pixelrebel wrote:

I’m actually having a heck of a time trying to get the elasticsearch python module to work on a search-guarded cluster. I’ve tried both python2 and python3 without luck.

I can’t get either http basic auth, nor peer certs to work. I can get both methods to work with curl and logstash, but not with the python module. I’ve tried the above suggested methods, but nothing seems to work. Is there a working example I can use?

searchguard:
dynamic:
authc:
basic_internal_auth_domain:
enabled: true
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
clientcert_auth_domain:
enabled: true
order: 1
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop

``

On Monday, May 8, 2017 at 4:58:41 PM UTC-7, pixelrebel wrote:

Is there a workaround for users who are required to use python2?

On Wednesday, February 22, 2017 at 7:36:05 AM UTC-8, Search Guard wrote:

this is know to work: https://gist.github.com/floragunncom/9319a994ae09df64b2a173128f745ed2

Python (especially python 2) is a piece of … regarding SSL/TLS support.

So we recommend python 3 and these packages:

pip3 requests

pip3 install cryptography

pip3 install pyopenssl ndg-httpsclient pyasn1

Then do a “urllib3.contrib.pyopenssl.inject_into_urllib3()” and it works like magic

see http://urllib3.readthedocs.io/en/latest/reference/urllib3.contrib.html

https://github.com/Yelp/elastalert/issues/605

Am 21.02.2017 um 23:27 schrieb Robert Chen robert...@gmail.com:

test.py is like below, when I run it, it is always ConnectionError. curl is ok. (all keys are generated with example.sh, ELK and searchguard is 5.1 version)

from elasticsearch import Elasticsearch, RequestsHttpConnection

import ssl

SSL client authentication using client_cert and client_key

es = Elasticsearch(

['10.8.8.246:9200'],

http_auth=('admin', 'admin'),

port=9200,

use_ssl=True,

ssl_version=ssl.PROTOCOL_TLSv1_2,

ca_certs='./ca/chain-ca.pem',

client_cert='./kirk.crtfull.pem.pem',

client_key='./kirk.key.pem'

)

print(es.info())

[root@ip-10-8-8-246 example-pki-scripts]# python test.py

Traceback (most recent call last):

File “test.py”, line 21, in 

print([es.info](http://es.info)())

File “/usr/local/lib/python2.7/site-packages/elasticsearch/client/utils.py”, line 73, in _wrapped

return func(*args, params=params, **kwargs)

File “/usr/local/lib/python2.7/site-packages/elasticsearch/client/init.py”, line 222, in info

return self.transport.perform_request('GET', '/', params=params)

File “/usr/local/lib/python2.7/site-packages/elasticsearch/transport.py”, line 318, in perform_request

status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)

File “/usr/local/lib/python2.7/site-packages/elasticsearch/connection/http_urllib3.py”, line 123, in perform_request

raise ConnectionError('N/A', str(e), e)

elasticsearch.exceptions.ConnectionError: ConnectionError((‘Connection failed.’, CannotSendRequest())) caused by: ConnectionError((‘Connection failed.’, CannotSendRequest()))

[root@ip-10-8-8-246 example-pki-scripts]# curl --insecure -E ./kirk-signed.pem --key ./kirk.key.pem https://10.8.8.246:9200/_cat/indices?v

health status index uuid pri rep docs.count docs.deleted store.size pri.store.size

green open mycompany-apache-2017.01.15 egQUvOtnT_O8jiEuz06Luw 5 1 4 0 80.4kb 40.2kb


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/98601f16-827c-4377-96e5-f599c696fd86%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

6

maybe this helps:

https://gist.github.com/floragunncom/9319a994ae09df64b2a173128f745ed2
https://github.com/floragunncom/search-guard/issues/196

···

Am 19.05.2017 um 18:41 schrieb astuart@fkinls.com:

bump

On Friday, May 12, 2017 at 5:19:30 PM UTC-4, pixelrebel wrote:
I'm actually having a heck of a time trying to get the elasticsearch python module to work on a search-guarded cluster. I've tried both python2 and python3 without luck.

I can't get either http basic auth, nor peer certs to work. I can get both methods to work with curl and logstash, but not with the python module. I've tried the above suggested methods, but nothing seems to work. Is there a working example I can use?

searchguard:
  dynamic:
    authc:
      basic_internal_auth_domain:
        enabled: true
        order: 2
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      clientcert_auth_domain:
        enabled: true
        order: 1
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn #optional, if omitted DN becomes username
          challenge: false
        authentication_backend:
          type: noop

On Monday, May 8, 2017 at 4:58:41 PM UTC-7, pixelrebel wrote:
Is there a workaround for users who are required to use python2?

On Wednesday, February 22, 2017 at 7:36:05 AM UTC-8, Search Guard wrote:
this is know to work: https://gist.github.com/floragunncom/9319a994ae09df64b2a173128f745ed2

Python (especially python 2) is a piece of .... regarding SSL/TLS support.
So we recommend python 3 and these packages:

pip3 requests
pip3 install cryptography
pip3 install pyopenssl ndg-httpsclient pyasn1

Then do a "urllib3.contrib.pyopenssl.inject_into_urllib3()" and it works like magic

see http://urllib3.readthedocs.io/en/latest/reference/urllib3.contrib.html
elastalert and search guard · Issue #605 · Yelp/elastalert · GitHub

> Am 21.02.2017 um 23:27 schrieb Robert Chen <robert...@gmail.com>:
>
> test.py is like below, when I run it, it is always ConnectionError. curl is ok. (all keys are generated with example.sh, ELK and searchguard is 5.1 version)
>
> from elasticsearch import Elasticsearch, RequestsHttpConnection
> import ssl
>
> # SSL client authentication using client_cert and client_key
> es = Elasticsearch(
> ['10.8.8.246:9200'],
> http_auth=('admin', 'admin'),
> port=9200,
> use_ssl=True,
> ssl_version=ssl.PROTOCOL_TLSv1_2,
> ca_certs='./ca/chain-ca.pem',
> client_cert='./kirk.crtfull.pem.pem',
> client_key='./kirk.key.pem'
> )
>
> print(es.info())
>
>
> [root@ip-10-8-8-246 example-pki-scripts]# python test.py
> Traceback (most recent call last):
> File "test.py", line 21, in <module>
> print(es.info())
> File "/usr/local/lib/python2.7/site-packages/elasticsearch/client/utils.py", line 73, in _wrapped
> return func(*args, params=params, **kwargs)
> File "/usr/local/lib/python2.7/site-packages/elasticsearch/client/__init__.py", line 222, in info
> return self.transport.perform_request('GET', '/', params=params)
> File "/usr/local/lib/python2.7/site-packages/elasticsearch/transport.py", line 318, in perform_request
> status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
> File "/usr/local/lib/python2.7/site-packages/elasticsearch/connection/http_urllib3.py", line 123, in perform_request
> raise ConnectionError('N/A', str(e), e)
> elasticsearch.exceptions.ConnectionError: ConnectionError(('Connection failed.', CannotSendRequest())) caused by: ConnectionError(('Connection failed.', CannotSendRequest()))
>
> [root@ip-10-8-8-246 example-pki-scripts]# curl --insecure -E ./kirk-signed.pem --key ./kirk.key.pem https://10.8.8.246:9200/_cat/indices?v
> health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
> green open mycompany-apache-2017.01.15 egQUvOtnT_O8jiEuz06Luw 5 1 4 0 80.4kb 40.2kb
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/98601f16-827c-4377-96e5-f599c696fd86%40googlegroups.com\.
> For more options, visit https://groups.google.com/d/optout\.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/32614206-9dbe-4b13-b3b4-a43c14ec7aa9%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

7

Is there an example for python2? Installing SG on my cluster broke my stackstorm pack. Stackstorm unfortunately only runs on python2.

···

On Friday, May 19, 2017 at 12:14:01 PM UTC-7, Search Guard wrote:

maybe this helps:

https://gist.github.com/floragunncom/9319a994ae09df64b2a173128f745ed2

https://github.com/floragunncom/search-guard/issues/196

Am 19.05.2017 um 18:41 schrieb ast...@fkinls.com:

bump

On Friday, May 12, 2017 at 5:19:30 PM UTC-4, pixelrebel wrote:

I’m actually having a heck of a time trying to get the elasticsearch python module to work on a search-guarded cluster. I’ve tried both python2 and python3 without luck.

I can’t get either http basic auth, nor peer certs to work. I can get both methods to work with curl and logstash, but not with the python module. I’ve tried the above suggested methods, but nothing seems to work. Is there a working example I can use?

searchguard:

dynamic:

authc:

  basic_internal_auth_domain:
    enabled: true

    order: 2

    http_authenticator:

      type: basic

      challenge: true

    authentication_backend:

      type: intern

  clientcert_auth_domain:

    enabled: true

    order: 1

    http_authenticator:

      type: clientcert

      config:

        username_attribute: cn #optional, if omitted DN becomes username

      challenge: false

    authentication_backend:

      type: noop

On Monday, May 8, 2017 at 4:58:41 PM UTC-7, pixelrebel wrote:

Is there a workaround for users who are required to use python2?

On Wednesday, February 22, 2017 at 7:36:05 AM UTC-8, Search Guard wrote:

this is know to work: https://gist.github.com/floragunncom/9319a994ae09df64b2a173128f745ed2

Python (especially python 2) is a piece of … regarding SSL/TLS support.
So we recommend python 3 and these packages:

pip3 requests
pip3 install cryptography
pip3 install pyopenssl ndg-httpsclient pyasn1

Then do a “urllib3.contrib.pyopenssl.inject_into_urllib3()” and it works like magic

see http://urllib3.readthedocs.io/en/latest/reference/urllib3.contrib.html

https://github.com/Yelp/elastalert/issues/605

Am 21.02.2017 um 23:27 schrieb Robert Chen robert...@gmail.com:

test.py is like below, when I run it, it is always ConnectionError. curl is ok. (all keys are generated with example.sh, ELK and searchguard is 5.1 version)

from elasticsearch import Elasticsearch, RequestsHttpConnection
import ssl

SSL client authentication using client_cert and client_key

es = Elasticsearch(
[‘10.8.8.246:9200’],
http_auth=(‘admin’, ‘admin’),
port=9200,
use_ssl=True,
ssl_version=ssl.PROTOCOL_TLSv1_2,
ca_certs=‘./ca/chain-ca.pem’,
client_cert=‘./kirk.crtfull.pem.pem’,
client_key=‘./kirk.key.pem’
)

print(es.info())

[root@ip-10-8-8-246 example-pki-scripts]# python test.py
Traceback (most recent call last):
File “test.py”, line 21, in
print(es.info())
File “/usr/local/lib/python2.7/site-packages/elasticsearch/client/utils.py”, line 73, in _wrapped
return func(*args, params=params, **kwargs)
File “/usr/local/lib/python2.7/site-packages/elasticsearch/client/init.py”, line 222, in info
return self.transport.perform_request(‘GET’, ‘/’, params=params)
File “/usr/local/lib/python2.7/site-packages/elasticsearch/transport.py”, line 318, in perform_request
status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
File “/usr/local/lib/python2.7/site-packages/elasticsearch/connection/http_urllib3.py”, line 123, in perform_request
raise ConnectionError(‘N/A’, str(e), e)
elasticsearch.exceptions.ConnectionError: ConnectionError((‘Connection failed.’, CannotSendRequest())) caused by: ConnectionError((‘Connection failed.’, CannotSendRequest()))

[root@ip-10-8-8-246 example-pki-scripts]# curl --insecure -E ./kirk-signed.pem --key ./kirk.key.pem https://10.8.8.246:9200/_cat/indices?v

health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open mycompany-apache-2017.01.15 egQUvOtnT_O8jiEuz06Luw 5 1 4 0 80.4kb 40.2kb


You received this message because you are subscribed to the Google Groups “Search Guard” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/98601f16-827c-4377-96e5-f599c696fd86%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/32614206-9dbe-4b13-b3b4-a43c14ec7aa9%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

8

Okay I actually have this working in python2! Thanks for those examples.

The crucial argument is connection_class=RequestsHttpConnection That seemed to kick the elasticsearch module in the butt.

Thanks!

···

On Friday, May 19, 2017 at 12:14:01 PM UTC-7, Search Guard wrote:

maybe this helps:

https://gist.github.com/floragunncom/9319a994ae09df64b2a173128f745ed2

https://github.com/floragunncom/search-guard/issues/196

Am 19.05.2017 um 18:41 schrieb ast...@fkinls.com:

bump

On Friday, May 12, 2017 at 5:19:30 PM UTC-4, pixelrebel wrote:

I’m actually having a heck of a time trying to get the elasticsearch python module to work on a search-guarded cluster. I’ve tried both python2 and python3 without luck.

I can’t get either http basic auth, nor peer certs to work. I can get both methods to work with curl and logstash, but not with the python module. I’ve tried the above suggested methods, but nothing seems to work. Is there a working example I can use?

searchguard:

dynamic:

authc:

  basic_internal_auth_domain:
    enabled: true

    order: 2

    http_authenticator:

      type: basic

      challenge: true

    authentication_backend:

      type: intern

  clientcert_auth_domain:

    enabled: true

    order: 1

    http_authenticator:

      type: clientcert

      config:

        username_attribute: cn #optional, if omitted DN becomes username

      challenge: false

    authentication_backend:

      type: noop

On Monday, May 8, 2017 at 4:58:41 PM UTC-7, pixelrebel wrote:

Is there a workaround for users who are required to use python2?

On Wednesday, February 22, 2017 at 7:36:05 AM UTC-8, Search Guard wrote:

this is know to work: https://gist.github.com/floragunncom/9319a994ae09df64b2a173128f745ed2

Python (especially python 2) is a piece of … regarding SSL/TLS support.
So we recommend python 3 and these packages:

pip3 requests
pip3 install cryptography
pip3 install pyopenssl ndg-httpsclient pyasn1

Then do a “urllib3.contrib.pyopenssl.inject_into_urllib3()” and it works like magic

see http://urllib3.readthedocs.io/en/latest/reference/urllib3.contrib.html

https://github.com/Yelp/elastalert/issues/605

Am 21.02.2017 um 23:27 schrieb Robert Chen robert...@gmail.com:

test.py is like below, when I run it, it is always ConnectionError. curl is ok. (all keys are generated with example.sh, ELK and searchguard is 5.1 version)

from elasticsearch import Elasticsearch, RequestsHttpConnection
import ssl

SSL client authentication using client_cert and client_key

es = Elasticsearch(
[‘10.8.8.246:9200’],
http_auth=(‘admin’, ‘admin’),
port=9200,
use_ssl=True,
ssl_version=ssl.PROTOCOL_TLSv1_2,
ca_certs=‘./ca/chain-ca.pem’,
client_cert=‘./kirk.crtfull.pem.pem’,
client_key=‘./kirk.key.pem’
)

print(es.info())

[root@ip-10-8-8-246 example-pki-scripts]# python test.py
Traceback (most recent call last):
File “test.py”, line 21, in
print(es.info())
File “/usr/local/lib/python2.7/site-packages/elasticsearch/client/utils.py”, line 73, in _wrapped
return func(*args, params=params, **kwargs)
File “/usr/local/lib/python2.7/site-packages/elasticsearch/client/init.py”, line 222, in info
return self.transport.perform_request(‘GET’, ‘/’, params=params)
File “/usr/local/lib/python2.7/site-packages/elasticsearch/transport.py”, line 318, in perform_request
status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
File “/usr/local/lib/python2.7/site-packages/elasticsearch/connection/http_urllib3.py”, line 123, in perform_request
raise ConnectionError(‘N/A’, str(e), e)
elasticsearch.exceptions.ConnectionError: ConnectionError((‘Connection failed.’, CannotSendRequest())) caused by: ConnectionError((‘Connection failed.’, CannotSendRequest()))

[root@ip-10-8-8-246 example-pki-scripts]# curl --insecure -E ./kirk-signed.pem --key ./kirk.key.pem https://10.8.8.246:9200/_cat/indices?v

health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open mycompany-apache-2017.01.15 egQUvOtnT_O8jiEuz06Luw 5 1 4 0 80.4kb 40.2kb


You received this message because you are subscribed to the Google Groups “Search Guard” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/98601f16-827c-4377-96e5-f599c696fd86%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/32614206-9dbe-4b13-b3b4-a43c14ec7aa9%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.