Uploaded image for project: 'Karaf'
  1. Karaf
  2. KARAF-5754

Make Decanter elasticsearch-jest appender support HTTPS/XPack enabled ES

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • decanter-2.0.0
    • decanter-2.1.0
    • decanter
    • None

    Description

      Now the Decanter elasticsearch-jest appender is able to connect with plain ES, but failed to connect with HTTPS/XPack enabled ES.

      With configuration in the org.apache.karaf.decanter.appender.elasticsearch.jest.cfg:

      address=https://192.168.99.100:9200

# Basic username and password authentication
username=xxxx
password=xxxx

      Then the SSLHandshakeException will be thrown from the ElasticsearchAppender:

      2018-05-15T11:11:10,666 | WARN  | EventAdminThread #20 | earch.jest.ElasticsearchAppender  120 | 315 - org.apache.karaf.decanter.appender.elasticsearch.jest - 2.0.0 | Can't append into Elasticsearch
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [?:?]
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) [?:?]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) [?:?]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) [?:?]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) [?:?]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) [?:?]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) [?:?]
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) [?:?]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) [?:?]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) [?:?]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) [?:?]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) [?:?]
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141) [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
    at io.searchbox.client.http.JestHttpClient.execute(JestHttpClient.java:47) [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
    at org.apache.karaf.decanter.appender.elasticsearch.jest.ElasticsearchAppender.send(ElasticsearchAppender.java:128) [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
    at org.apache.karaf.decanter.appender.elasticsearch.jest.ElasticsearchAppender.handleEvent(ElasticsearchAppender.java:118) [315:org.apache.karaf.decanter.appender.elasticsearch.jest:2.0.0]
    at org.apache.felix.eventadmin.impl.handler.EventHandlerProxy.sendEvent(EventHandlerProxy.java:415) [3:org.apache.karaf.services.eventadmin:4.1.5]
    at org.apache.felix.eventadmin.impl.tasks.HandlerTask.run(HandlerTask.java:70) [3:org.apache.karaf.services.eventadmin:4.1.5]
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:?]
    at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:?]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:?]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:?]
    at java.lang.Thread.run(Thread.java:748) [?:?]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) ~[?:?]
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:?]
    at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[?:?]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ~[?:?]
    ... 29 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:?]
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ~[?:?]
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:?]
    at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[?:?]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ~[?:?]
    ... 29 more

      Also, the elasticsearch-rest appender has the same problem with Secured/Xpacked enabled ES.

      2018-05-15T11:24:00,901 | WARN  | Thread-6         | earch.rest.ElasticsearchAppender  144 | 329 - org.apache.karaf.decanter.appender.elasticsearch.rest - 2.0.0 | Can't append into Elasticsearch
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) [?:?]
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) [?:?]
	at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) [?:?]
	at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) [?:?]
	at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) [?:?]
	at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:265) [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
	at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:305) [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
	at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509) [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
	at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120) [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
	at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
	at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588) [329:org.apache.karaf.decanter.appender.elasticsearch.rest:2.0.0]
	at java.lang.Thread.run(Thread.java:748) [?:?]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:?]
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) ~[?:?]
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) ~[?:?]
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) ~[?:?]
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[?:?]
	at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283) ~[?:?]
	at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353) ~[?:?]
	... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) ~[?:?]
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:?]
	at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:?]
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601) ~[?:?]
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[?:?]
	at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283) ~[?:?]
	at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353) ~[?:?]
	... 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:?]
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ~[?:?]
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:?]
	at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:?]
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601) ~[?:?]
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[?:?]
	at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283) ~[?:?]
	at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353) ~[?:?]
	... 9 more

      The elasticsearch-jest/elasticsearch-rest appenders need to be enhanced to support XPack secured ES.

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #36

          Activity

            People

              jbonofre Jean-Baptiste Onofré
              xldai Xilai Dai
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: