goopensearchopensearch-dashboards

Opensearch Error pinging Elastic server: x509 certificate signed by unknown authority


I am trying to build an Opensearch client using Go language. However, I am facing an error while pinging the Opensearch server. The error message is as follows:

{"level":"error","time":"2023-04-28T02:29:00+03:00","message":"Failed to build ES client: error pinging elastic server: Get \"https://192.168.8.136:9200/\": x509: certificate signed by unknown authority"}
{"level":"error","time":"2023-04-28T02:29:00+03:00","message":"Failed to initialize service ===>: error possible due to certificate issue"}

I understand that this error is related to the SSL/TLS certificate, which is not trusted by the client. Can anyone suggest a possible solution to resolve this issue? I have already tried disabling certificate validation, but it did not help. Thank you in advance for your help.

Kudos to chatgpt for writing the question for me.


Solution

  • I expected this configuration to allow me with untrusted certs

    plugins.securtiy.allow_unsafe_democertificates=true
    

    This configuration means that you allow the server to use the demo certificate. It does not change the fact that the demo certificate is untrusted by the client. If you want to make it work, you can configure the client to ignore certificate errors:

    package main
    
    import (
        "crypto/tls"
        "fmt"
        "net/http"
        "net/http/httputil"
    )
    
    func main() {
        req, err := http.NewRequest("GET", "https://localhost:9200", nil)
        if err != nil {
            panic(err)
        }
        req.SetBasicAuth("admin", "admin")
    
        client := &http.Client{
            Transport: &http.Transport{
                TLSClientConfig: &tls.Config{
                    InsecureSkipVerify: true,
                },
            },
        }
        res, err := client.Do(req)
        if err != nil {
            panic(err)
        }
    
        defer res.Body.Close()
    
        buf, err := httputil.DumpResponse(res, true)
        if err != nil {
            panic(err)
        }
    
        fmt.Printf("%s\n", buf)
    }
    

    InsecureSkipVerify: true makes the client ignore the certificate errors. The opensearch-go package accepts the same configuration like this:

    cfg := opensearch.Config{
        /// ...
        Transport: &http.Transport{
            TLSClientConfig: &tls.Config{
                InsecureSkipVerify: true,
            },
        },
    }
    

    Another options is to modify opensearch.yml to disable HTTPS on the server:

    plugins.security.ssl.http.enabled: false
    

    Note: Neither ignore server certificate errors nor disable HTTPS when go into production.