Hi,
I’m having some issue with curator and cert auth as described here Curator | Security for Elasticsearch | Search Guard
Please note, that those certs work perfectly fine using curl, this is really specific to curator.
Elasticsearch version: 7.8.1
Server OS version: CentOS 7.8
Describe the issue: Curator does not seem to work with SG and cert auth
Provide configuration:
elasticsearch/plugins/search-guard-7/sgconfig/sg_config.yml
_sg_meta:
type: "config"
config_version: 2
sg_config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
authc:
basic:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
clientcert_auth_domain:
http_enabled: true
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn
challenge: false
authentication_backend:
type: noop
curator.yml
client:
hosts:
- 127.0.0.1
port: 9200
use_ssl: true
certificate: /etc/elasticsearch/certs/root-ca.pem
client_cert: /etc/elasticsearch/certs/admin.pem
client_key: /etc/elasticsearch/certs/admin.key
ssl_no_validate: true
timeout: 30
master_only: false
logging:
loglevel: INFO
logformat: default
Provide logs:
CLI:
/usr/local/lib/python3.6/site-packages/elasticsearch/connection/http_urllib3.py:190: UserWarning: Connecting to jarvis.lcsb.uni.lu using SSL with verify_certs=False is insecure.
% host
/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/curator/utils.py", line 904, in get_client
check_version(client)
File "/usr/local/lib/python3.6/site-packages/curator/utils.py", line 690, in check_version
version_number = get_version(client)
File "/usr/local/lib/python3.6/site-packages/curator/utils.py", line 663, in get_version
version = client.info()['version']['number']
File "/usr/local/lib/python3.6/site-packages/elasticsearch/client/utils.py", line 84, in _wrapped
return func(*args, params=params, **kwargs)
File "/usr/local/lib/python3.6/site-packages/elasticsearch/client/__init__.py", line 259, in info
return self.transport.perform_request("GET", "/", params=params)
File "/usr/local/lib/python3.6/site-packages/elasticsearch/transport.py", line 353, in perform_request
timeout=timeout,
File "/usr/local/lib/python3.6/site-packages/elasticsearch/connection/http_urllib3.py", line 251, in perform_request
self._raise_error(response.status, raw_data)
File "/usr/local/lib/python3.6/site-packages/elasticsearch/connection/base.py", line 178, in _raise_error
status_code, error_message, additional_info
elasticsearch.exceptions.AuthenticationException: AuthenticationException(401, 'Unauthorized')
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/bin/curator", line 11, in <module>
load_entry_point('elasticsearch-curator==5.7.6', 'console_scripts', 'curator')()
File "/usr/local/lib/python3.6/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python3.6/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python3.6/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/curator/cli.py", line 218, in cli
run(config, action_file, dry_run)
File "/usr/local/lib/python3.6/site-packages/curator/cli.py", line 165, in run
client = get_client(**client_args)
File "/usr/local/lib/python3.6/site-packages/curator/utils.py", line 911, in get_client
'Error: {0}'.format(e)
elasticsearch.exceptions.ElasticsearchException: Unable to create client connection to Elasticsearch. Error: AuthenticationException(401, 'Unauthorized')