search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
90 stars 12 forks source link

Can't connect to elasticsearch #2598

Closed acidkill closed 9 months ago

acidkill commented 9 months ago

Can't connect to elastic search on the same cluster

Description

We were using database as a search engine in Fusion Auth. We need to switch to ElasticSearch. I did a recommended install from: curl -O https://raw.githubusercontent.com/elastic/Helm-charts/master/elasticsearch/examples/minikube/values.yaml using helm.

Affects versions

FusionAuth: 1.48.3 ElasticSearch: 8.5.1

Steps to reproduce

Steps to reproduce the behavior:

  1. curl -O https://raw.githubusercontent.com/elastic/Helm-charts/master/elasticsearch/examples/minikube/values.yaml
  2. helm install es-test elastic/elasticsearch -f values.yaml -n project-dev
  3. get user and password from secrets
  4. update fusion.yaml with 
    search:
engine: elasticsearch
host: elasticsearch-master.project-dev.svc.cluster.local
password: SuperSecurePassword
port: 9200
protocol: https
user: elastic
  5. Upgrade fusionauth with new values.
  6. Check logs: 
    2024-01-02 08:20:58.304 PM ERROR com.inversoft.maintenance.search.ElasticsearchMaintenanceModeSearchService - Failed to connect to Elasticsearch.
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.elasticsearch.client.RestClient.extractAndWrapCause(RestClient.java:925)
at org.elasticsearch.client.RestClient.performRequest(RestClient.java:300)
at org.elasticsearch.client.RestClient.performRequest(RestClient.java:288)
at com.inversoft.maintenance.search.ElasticsearchMaintenanceModeSearchService.testConnection(ElasticsearchMaintenanceModeSearchService.java:201)
at com.inversoft.maintenance.search.ElasticsearchMaintenanceModeSearchService.determineSearchStatus(ElasticsearchMaintenanceModeSearchService.java:65)
at com.inversoft.maintenance.MaintenanceModeThreadSafeHelper.areWeDoneYet(MaintenanceModeThreadSafeHelper.java:46)
at com.inversoft.maintenance.MaintenanceModePoller.lambda$new$2(MaintenanceModePoller.java:44)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)

Expected behavior

FusionAuth running with ElasticSearch search engine set.

Screenshots

If applicable, add screenshots to help explain your problem.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

Did a test of elasticsearch:

helm --namespace=project-dev test es-test                                                                             
NAME: es-test 
LAST DEPLOYED: Tue Jan  2 21:15:41 2024
NAMESPACE: project-dev
STATUS: deployed
REVISION: 1
TEST SUITE:     es-test-pevaj-test
Last Started:   Tue Jan  2 21:30:36 2024
Last Completed: Tue Jan  2 21:30:40 2024
Phase:          Succeeded
NOTES:
1. Watch all cluster members come up.
$ kubectl get pods --namespace=project-dev -l app=elasticsearch-master -w
2. Retrieve elastic user's password.
$ kubectl get secrets --namespace=project-dev elasticsearch-master-credentials -ojsonpath='{.data.password}' | base64 -d
3. Test cluster health using Helm test.
$ helm --namespace=project-dev test es-test
acidkill commented 9 months ago

after applying new config FusionAuth starts in Maintanance Mode Failed

robotdan commented 9 months ago

This occurs if the JDK does not trust or cannot verify the root authority that signed your certificate.

If you are using a local instance of Elasticsearch you'll either need to disable TLS by using an http scheme instead of https or ensure the JDK can trust your certificate.

This may help you. https://fusionauth.io/docs/operate/secure-and-monitor/securing#custom-certificate-authority

acidkill commented 9 months ago

@robotdan I'm getting also an error while configuring with http:

2024-01-02 09:18:22.246 PM INFO  com.inversoft.search.ElasticRestClientHelper - Connecting to Elasticsearch at [http://elasticsearch-master.project-dev.svc.cluster.local:9200]
2024-01-02 09:18:22.482 PM ERROR com.inversoft.maintenance.search.ElasticsearchMaintenanceModeSearchService - Failed to connect to Elasticsearch.
org.apache.http.ConnectionClosedException: Connection is closed
    at org.elasticsearch.client.RestClient.extractAndWrapCause(RestClient.java:920)
    at org.elasticsearch.client.RestClient.performRequest(RestClient.java:300)
    at org.elasticsearch.client.RestClient.performRequest(RestClient.java:288)
    at com.inversoft.maintenance.search.ElasticsearchMaintenanceModeSearchService.testConnection(ElasticsearchMaintenanceModeSearchService.java:201)
    at com.inversoft.maintenance.search.ElasticsearchMaintenanceModeSearchService.determineSearchStatus(ElasticsearchMaintenanceModeSearchService.java:65)
    at com.inversoft.maintenance.search.ElasticsearchSilentModeWorkflowTask.lambda$perform$0(ElasticsearchSilentModeWorkflowTask.java:32)
    at com.inversoft.maintenance.search.ElasticsearchSilentModeWorkflowTask.waitForIt(ElasticsearchSilentModeWorkflowTask.java:62)
    at com.inversoft.maintenance.search.ElasticsearchSilentModeWorkflowTask.perform(ElasticsearchSilentModeWorkflowTask.java:32)
    at com.inversoft.maintenance.DefaultMaintenanceModeWorkflow.performSilentConfiguration(DefaultMaintenanceModeWorkflow.java:47)
    at com.inversoft.maintenance.BaseMaintenanceModePrimeMain.modules(BaseMaintenanceModePrimeMain.java:70)
    at org.primeframework.mvc.BasePrimeMain.hup(BasePrimeMain.java:69)
    at org.primeframework.mvc.BasePrimeMain.start(BasePrimeMain.java:100)
    at io.fusionauth.app.FusionAuthMain.main(FusionAuthMain.java:27)