search

elastic / elasticsearch-ruby

Ruby integrations for Elasticsearch
https://www.elastic.co/guide/en/elasticsearch/client/ruby-api/current/index.html
Apache License 2.0
1.96k stars 596 forks source link

Seeing a fatal alert: unknown_ca error when attempt to connect via https #350

Closed andrewnisbet74 closed 7 years ago

andrewnisbet74 commented 8 years ago

Hi, I am trying to get a ruby client working with an Elasticsearch cluster that has shield enabled. Communication with the cluster worked just fine before Shield was set up, but I am having difficulties getting things working now.

The ES client object is instantiated like this

es_config = Portal::Configuration.instance.elasticsearch.dup
Elasticsearch::Model.client = Elasticsearch::Client.new(es_config)

es_config is built from a yml file that looks like this: 

host: es01.dev.g2:9200
    port: 443
    user: es_user
    password: espass
    scheme: https
    transport_options:
      ssl:
        ca_file: "lib/es.pem"

When I try to send a query request I see the fallowing in the ES log

javax.net.ssl.SSLException: Received fatal alert: unknown_ca
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1646)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1614)
    at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1780)
    at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1075)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:901)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:775)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
    at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
    at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
    at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.jboss.netty.handler.ipfilter.IpFilteringHandlerImpl.handleUpstream(IpFilteringHandlerImpl.java:154)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
    at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
    at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
    at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
    at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
    at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

On the rails side the client sits and spins until the OOM-Killer nukes it. I have discussed this with Elastic support, and they suggested I create a github issue. I am not really sure how to proceed here, so any guidance that can be provided is much appreciated.

Particulars on our set up

ElasticSearch Server: 2.1.2 Pem file: it was built from a jks cert we used as part of the shield configuration. it was converted to a p12 file then a pem file using openssl.
Ruby: 2.0.0p353 (upgrading will be a challenge at this point) Gems: Rails: 4.2.4 Elasticsearch client: 1.0.15 Elasticsearch-api 1.0.15 Elasticsearch-model: 0.1.8 Elasticsearch-rails: 0.1.8 Elasticsearch-transport: 1.0.15

OS: Ubuntu 14.0.4

karmi commented 8 years ago

Hi, problems with certificates are notoriously hard to debug, unfortunately. My first line of debugging this issue would be to isolate the problem from your Rails app and any custom code, and use just the raw client with an explicit configuration via a Hash.

Your YAML configuration looks correct, that is how to provide a path to the certificate to the Ruby client, but it would be better to run all that in isolation, and also without the translation from YAML (for example, the client expects keys as Symbols, and I'm not sure how the translations handles them).

andrewnisbet74 commented 8 years ago

Thanks for getting back to me. We are going to create a simple reference implementation using the raw client, once that is working we will reintroduce the Elastic-Model gem, and then the data from the config file. Hopefully this will allow us to better isolate the issue.

karmi commented 7 years ago

Hi @andrewnisbet74, I'm just curious if the problem has been resolved or persists?

andrewnisbet74 commented 7 years ago

Hi @karmi This issue has been resolved, we are using some newer versions of the gems, and it is working properly now. Sorry for not closing this sooner, I will close it now.