Elasticsearch API via ssl

shota · June 7, 2018, 6:54am

Hello
I am trying setup ssl for elasticsearch using ROR plugin, kibana UI works fine with ‘https’ but can’t figure out with ES API
here is my readonlyrest ssl config:

 http.type: ssl_netty4
 readonlyrest:
   enable: true
   prompt_for_basic_auth: false
 
   ssl:
     enable: true
     keystore_file: "key.jks"
     keystore_pass: ********
     key_pass: xxxxxxxx
     allowed_protocols: [TLSv1.2]
 
   response_if_req_forbidden: Access denied
 
   access_control_rules:
 
   - name: "ADMIN"
 ...
 .......

and when I try GET from ‘https’ I have error:

[linux@localhost ~]$ curl -XGET --user user:*** ‘https://es.host:9300/_cluster/health?pretty=true’
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to es.host:9300
[linux@localhost ~]$ curl -XGET --user user:*** ‘https://es.host:9200/_cluster/health?pretty=true’
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

P.S. I also tried allowed_protocols: [TLSv1.1] but same results

any idea?

sscarduzio · June 7, 2018, 9:30am

Hi @shota,

ReadonlyREST will not secure the port 9300 (transport protocol), but only the 9200 (HTTP).
The http.type: ssl_netty4 needs to be in elasticsearch.yml not in readonlyrest.yml.
Make it work without the allowed protocols first, then try to enable some.

Another hint: in the case you are using a self signed certificate, curl needs the “-k” option.

shota · June 8, 2018, 6:30am

OK I deleted ssl_netty4 and trying connect 9200 port via https but same error:

[linux@localhost ~]$ curl -XGET --user user:***‘https://es.host:9200/_cluster/health?pretty=true’
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

sscarduzio · June 8, 2018, 9:32am

did you move the “http.type: ssl_netty4” to elasticsearch.yml? It is necessary.
Also did you temporarily remove the constraint about the allowed protocols?

shota · June 8, 2018, 10:33am

When I move “http.type: ssl_netty4” to elasticsearch.yml I can’t login in the kibana UI

API https works with curk -k option

but cant login in the kibana(does not login local admin and LDAP users too)

Could not login: Client request error: socket hang up - for GET h ttp://es.host:9200/_nodes/_local headers: {“authorization”:“Basic c2hha2gdtfyuTpBc2hvdDM2Ng==”}

sscarduzio · June 8, 2018, 12:31pm

That’s expected, change elasticsearch host endpoint in the kibana.yml to “https://…” and disable ssl cert verificaiton (if you keep using the unsigned cert).

elasticsearch.url: "https://<YOUR_ES_HOST>:9200"
elasticsearch.ssl.verificationMode: "none"
``

shota · June 8, 2018, 12:45pm

OMG everything works fine now
Thank you very much