I am running an Elastic Search instance with SSL by creating a self-signed certificate. I ran into a problem when connecting from R through elastic package.
This is how I progressed:
After enabling SSL, when I tried to connect to the Elastic Search instance, I got the below error:
$ curl -u $USER:$PASS 'https://localhost:9200/_cat/health?v'
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
As evident, this problem is because of the certificate not been trusted. One way is to just add the self-signed certificate to the truststore, but I don't know where it is. Other way is to just skip certificate verification by adding -k. But I wanted to perform it.
Hence I found a work-around to just specify the root-ca.pem as below:
$ curl -u $USER:$PASS 'https://localhost:9200/_cat/health?v' --cacert /home/user/root-ca.pem
epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1479462058 03:40:58 es-cluster yellow 1 1 365 365 0 0 364 0 - 50.1%
Then another SO question helped me create a file ~/.curlrc as below:
$ cat ~/.curlrc
capath=/home/user/
After that, I didn't had to specify the certificate even.
$ curl -u $USER:$PASS 'https://localhost:9200/_cat/health?v'
epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1479462172 03:42:52 es-cluster yellow 1 1 365 365 0 0 364 0 - 50.1%
All well till now, but now when I am trying to connect to Elastic Search from R. I am getting the below error.
> library(elastic)
> connect(es_base = "https://localhost", es_port = 9200, es_user = USER, es_pwd = PASS)
Error:
Failed to connect to https://127.0.0.1:9200
Remember to start Elasticsearch before connecting
The logs report unknown_ca error. elastic R package might be using either httr/curl to make the connection but I couldn't figure out how to specify the certificate.
I referred the solution here but it works for RCurl.
Please suggest.
Versions:
As suggested by @sckott, I had to set the cainfo parameter.
Below is what worked in my case:
library(elastic)
library(httr)
set_config(config(cainfo = "/home/user/root-ca.pem"))
connect(es_base = "https://localhost", es_port = 9200, es_user = USER, es_pwd = PASS)
Thank you Sckott.