Elasticsearch API via ssl


(Shota) #1

Hello
I am trying setup ssl for elasticsearch using ROR plugin, kibana UI works fine with ‘https’ but can’t figure out with ES API
here is my readonlyrest ssl config:

 http.type: ssl_netty4
 readonlyrest:
   enable: true
   prompt_for_basic_auth: false
 
   ssl:
     enable: true
     keystore_file: "key.jks"
     keystore_pass: ********
     key_pass: xxxxxxxx
     allowed_protocols: [TLSv1.2]
 
   response_if_req_forbidden: Access denied
 
   access_control_rules:
 
   - name: "ADMIN"
 ...
 .......

and when I try GET from ‘https’ I have error:

[[email protected] ~]$ curl -XGET --user user:*** ‘https://es.host:9300/_cluster/health?pretty=true
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to es.host:9300
[[email protected] ~]$ curl -XGET --user user:*** ‘https://es.host:9200/_cluster/health?pretty=true
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

P.S. I also tried allowed_protocols: [TLSv1.1] but same results

any idea?


(Simone Scarduzio) #2

Hi @shota,

  1. ReadonlyREST will not secure the port 9300 (transport protocol), but only the 9200 (HTTP).
  2. The http.type: ssl_netty4 needs to be in elasticsearch.yml not in readonlyrest.yml.
  3. Make it work without the allowed protocols first, then try to enable some.

Another hint: in the case you are using a self signed certificate, curl needs the “-k” option.


(Shota) #3

OK I deleted ssl_netty4 and trying connect 9200 port via https but same error:

[[email protected] ~]$ curl -XGET --user user:***‘https://es.host:9200/_cluster/health?pretty=true
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number


(Simone Scarduzio) #4

did you move the “http.type: ssl_netty4” to elasticsearch.yml? It is necessary.
Also did you temporarily remove the constraint about the allowed protocols?


(Shota) #5

When I move “http.type: ssl_netty4” to elasticsearch.yml I can’t login in the kibana UI

API https works with curk -k option

but cant login in the kibana(does not login local admin and LDAP users too)

Could not login: Client request error: socket hang up - for GET h ttp://es.host:9200/_nodes/_local headers: {“authorization”:“Basic c2hha2gdtfyuTpBc2hvdDM2Ng==”}


(Simone Scarduzio) #6

That’s expected, change elasticsearch host endpoint in the kibana.yml to “https://…” and disable ssl cert verificaiton (if you keep using the unsigned cert).

elasticsearch.url: "https://<YOUR_ES_HOST>:9200"
elasticsearch.ssl.verificationMode: "none"
``

(Shota) #7

OMG everything works fine now
Thank you very much :blush: