Howto: Elasticsearch with custom SSL setup #2774
Comments
codefromthecrypt
added
question
help wanted
elasticsearch
|
Yeah I think we'd need to add settings for custom TLS for the client. I don't think we can really share settings between the server and client since they're usually configured differently and with different settings but we should add some settings to It's a little tempting to reuse this object, but it has server-only setting of |
|
ok so it makes sense then probably to just share the property keys and not
the server-only one.
do you feel confident and/or have cycles for this? (ideally both :)) either
way is ok
…On Fri, Aug 23, 2019 at 7:41 PM Anuraag Agrawal ***@***.***> wrote:
Yeah I think we'd need to add settings for custom TLS for the client. I
don't think we can really share settings between the server and client
since they're usually configured differently and with different settings
but we should add some settings to ElasticsearchProperties.
It's a little tempting to reuse this object, but it has server-only
setting of ClientAuth so probably shouldn't be used for configuring a
client
/~https://github.com/line/armeria/blob/master/spring/boot-autoconfigure/src/main/java/com/linecorp/armeria/spring/Ssl.java
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2774?email_source=notifications&email_token=AAAPVV3QQOVE3RP54RFRVGDQF7EHTA5CNFSM4IO6VYCKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD477BDI#issuecomment-524284045>,
or mute the thread
</~https://github.com/notifications/unsubscribe-auth/AAAPVV3RXAI4SMDDSGRTX23QF7EHTANCNFSM4IO6VYCA>
.
|
|
Will say probably no cycles. It seems like a new feature to configure TLS of the ES client, rather than bugfix, and ends up below other things in my personal backlog right now. I wonder a little if it also blocks the patch release for the same reason. |
|
Actually realized we might already be able to support the javax.net properties if the user disables openssl using the flag (sorry walking/ texting so haven't looked up the link to the flag yet) |
|
@anuraaga good ideas.. mainly I think the old one used normal javax.net so in comparison not being able to, and having no other way to, could look like a regression. we can release a patch, but still I wouldn't announce 2.16 until it is stable with things like this. (doesn't mean you have to do this.. I can add the ssl parameters it seems not difficult to copy/paste and I'm at the computer) |
|
I'm going for it :P |
|
from chat the only settings used were: keyStore, keyStorePassword, trustStore, trustStorePassword So, it was more about overrides than client auth. |
|
ps I'm getting some 🍷 then coming back to this. approach is to add ssl into the ES config properties object, defaulting to the system properties. That way it is 2-for-1. Then wire into the ssl configurator for the client. I've already done all this.. the wine is needed to refactor the integration test :P luckily I have an old keystore and some things from my past life in feign. I'll cobble it together in a bit. |
This allows the following system properties to be used for Elasticsearch connections: * javax.net.ssl.keyStore * javax.net.ssl.keyStorePassword * javax.net.ssl.keyStoreType * javax.net.ssl.trustStore * javax.net.ssl.trustStorePassword * javax.net.ssl.trustStoreType This allows the most common SSL setup, self-signed certs, to work out of box. Fixes #2774
|
#2775 should work.. waiting for manual verification as I don't feel like setting up elasticsearch ssl |
|
@anuraaga can you help check this problem |
|
The command looks fine - there are any number of reasons that could cause handshake failures such as expired or incorrect certificates, so it's always hard to pinpoint one. Does this only happen in a particular version of zipkin or even in older ones? Also, are you using Java 11? If so, can you try with the system property |
Marking this as a question, for now. We have someone on gitter
stanltam_twitter, asking about how to use custom TLS configuration for the client side of elasticsearch.I know this exists for the server side, but I'm not sure if we read custom TLS or not, if we fall back to system properties, or something else.
/~https://github.com/line/armeria/blob/master/spring/boot-autoconfigure/src/main/java/com/linecorp/armeria/spring/ArmeriaSettings.java#L35-L49
Ex I would expect possibly some custom TLS object used here /~https://github.com/openzipkin/zipkin/blob/master/zipkin-server/src/main/java/zipkin2/server/internal/elasticsearch/ZipkinElasticsearchStorageConfiguration.java#L75
Holding back a patch release for now, just in case we have to change code to make it possible to connect to ES with customized TLS
cc @trustin @anuraaga
The text was updated successfully, but these errors were encountered: