SSL Connection to Elasticsearch with xpack SSL enabled got error
Request Type
Feature Request
Work Environment
Question
Answer
OS version (server)
Ubuntu 20.04.5 LTS 64bit
OS version (client)
Windows 10
Cortex version / git hash
3.1.7-1
Package Type
Binary (via apt install from cortex repository)
Browser type & version
Mozilla Firefox 110.0
Problem Description
I expected cortex can communicate with elasticsearch and create index for first time. However I got following warn:
2023-03-04 02:53:50,468 [WARN] from org.elastic4play.database.SearchWithScroll in application-akka.actor.default-dispatcher-6 - Search error
com.sksamuel.elastic4s.http.JavaClientExceptionWrapper: javax.net.ssl.SSLPeerUnverifiedException: Host name 'x.x.x.x' does not match the certificate subject provided by the peer (CN=elasticsearch)
at com.sksamuel.elastic4s.http.JavaClient$$anon$1.onFailure(JavaClient.scala:70)
at org.elasticsearch.client.RestClient$FailureTrackingResponseListener.onDefinitiveFailure(RestClient.java:668)
at org.elasticsearch.client.RestClient$1.failed(RestClient.java:417)
at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:137)
at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.executionFailed(DefaultClientExchangeHandlerImpl.java:101)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.failed(AbstractClientExchangeHandler.java:426)
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.exception(HttpAsyncRequestExecutor.java:163)
at org.apache.http.impl.nio.client.InternalIODispatch.onException(InternalIODispatch.java:76)
at org.apache.http.impl.nio.client.InternalIODispatch.onException(InternalIODispatch.java:39)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.outputReady(AbstractIODispatch.java:156)
at org.apache.http.impl.nio.reactor.BaseIOReactor.writable(BaseIOReactor.java:187)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:341)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'x.x.x.x' does not match the certificate subject provided by the peer (CN=elasticsearch)
at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:209)
at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:188)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:360)
at org.apache.http.nio.reactor.ssl.SSLIOSession.outboundTransport(SSLIOSession.java:564)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.outputReady(AbstractIODispatch.java:154)
... 7 common frames omitted
2023-03-04 02:53:50,557 [INFO] from play.api.Play in main - Application started (Prod) (no global state)
2023-03-04 02:53:51,529 [INFO] from play.core.server.AkkaHttpServer in main - Enabling HTTP/2 on Akka HTTP server...
2023-03-04 02:53:51,531 [INFO] from play.core.server.AkkaHttpServer in main - Listening for HTTP on /0:0:0:0:0:0:0:0:9001
and indexes is not created in elasticsearch.
Steps to Reproduce
Install cortex using apt from cortex repository
Configure cortex with following configuration
Import crt file from elasticsearch and convert to jks format: keytool -import -alias ca -file elasticsearch.crt -keystore elasticsearch.jks
Put elasticsearch.jks to /etc/cortex/certs/elasticsearch.jks (I create directory certs inside cortex directory)
Config cortex (/etc/cortex/application) with following lines:
....(snip)
search {
index = cortex
uri = "https://x.x.x.x:9200"
user = ""
password = ""
ssl.enabled = "true"
keyStore {
path = "/etc/cortex/certs/elasticsearch.jks"
type = "JKS" # or PKCS12
password = "xxx"
}
trustStore {
path = "/etc/cortex/certs/elasticsearch.jks"
type = "JKS" # or PKCS12
password = "xxx"
}
}
....(snip)
Start cortex : systemctl start cortex
Check log: tail -f /var/log/cortex/application.log and got warn above.
Possible Solutions
Can you please add feature to disable hostname verification and allow self sign certificate like what already done with TheHive (I run TheHive with ES SSL and is running well).
SSL Connection to Elasticsearch with xpack SSL enabled got error
Request Type
Feature Request
Work Environment
Problem Description
I expected cortex can communicate with elasticsearch and create index for first time. However I got following warn:
2023-03-04 02:53:50,468 [WARN] from org.elastic4play.database.SearchWithScroll in application-akka.actor.default-dispatcher-6 - Search error com.sksamuel.elastic4s.http.JavaClientExceptionWrapper: javax.net.ssl.SSLPeerUnverifiedException: Host name 'x.x.x.x' does not match the certificate subject provided by the peer (CN=elasticsearch) at com.sksamuel.elastic4s.http.JavaClient$$anon$1.onFailure(JavaClient.scala:70) at org.elasticsearch.client.RestClient$FailureTrackingResponseListener.onDefinitiveFailure(RestClient.java:668) at org.elasticsearch.client.RestClient$1.failed(RestClient.java:417) at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:137) at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.executionFailed(DefaultClientExchangeHandlerImpl.java:101) at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.failed(AbstractClientExchangeHandler.java:426) at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.exception(HttpAsyncRequestExecutor.java:163) at org.apache.http.impl.nio.client.InternalIODispatch.onException(InternalIODispatch.java:76) at org.apache.http.impl.nio.client.InternalIODispatch.onException(InternalIODispatch.java:39) at org.apache.http.impl.nio.reactor.AbstractIODispatch.outputReady(AbstractIODispatch.java:156) at org.apache.http.impl.nio.reactor.BaseIOReactor.writable(BaseIOReactor.java:187) at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:341) at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'x.x.x.x' does not match the certificate subject provided by the peer (CN=elasticsearch) at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:209) at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:188) at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:360) at org.apache.http.nio.reactor.ssl.SSLIOSession.outboundTransport(SSLIOSession.java:564) at org.apache.http.impl.nio.reactor.AbstractIODispatch.outputReady(AbstractIODispatch.java:154) ... 7 common frames omitted 2023-03-04 02:53:50,557 [INFO] from play.api.Play in main - Application started (Prod) (no global state) 2023-03-04 02:53:51,529 [INFO] from play.core.server.AkkaHttpServer in main - Enabling HTTP/2 on Akka HTTP server... 2023-03-04 02:53:51,531 [INFO] from play.core.server.AkkaHttpServer in main - Listening for HTTP on /0:0:0:0:0:0:0:0:9001
and indexes is not created in elasticsearch.
Steps to Reproduce
Config cortex (/etc/cortex/application) with following lines: ....(snip) search { index = cortex uri = "https://x.x.x.x:9200" user = ""
password = ""
ssl.enabled = "true"
keyStore { path = "/etc/cortex/certs/elasticsearch.jks" type = "JKS" # or PKCS12 password = "xxx" } trustStore { path = "/etc/cortex/certs/elasticsearch.jks" type = "JKS" # or PKCS12 password = "xxx" } }
....(snip)
Possible Solutions
Can you please add feature to disable hostname verification and allow self sign certificate like what already done with TheHive (I run TheHive with ES SSL and is running well).
Complementary information