admin管理员组

文章数量:1279055

I've got a problem with Quarkus and elasticsearch client not connecting to my elasticsearch server with https (security) enabled.

The error I get is:

Caused by: javax.ssl.SSLHandshakeException:
           PKIX path building failed:
           sun.security.provider.certpath.SunCertPathBuilderException:
           unable to find valid certification path to requested target

I've tried several configurations and none worked.
first I've tried quarkus.tls.trust-all and the environment variable QUARKUS_TLS_TRUST_ALL=true

then I created the store with:

keytool -genkeypair -alias keystore -keyalg RSA -keysize 2048 -validity 7300 -keystore keystore.p12 -storetype PKCS12 -storepass somePassword

and added the configuration in yaml:

quarkus:
    tls:
        key-store:
            p12:
                path: /someAbsoultePath/keystore.p12
                password: somePassword

None of these worked. It's obvious that I don't understand the docs of how to set Quarkus with ES Client to accept self-signed cert from elasticsearch server.

I've got a problem with Quarkus and elasticsearch client not connecting to my elasticsearch server with https (security) enabled.

The error I get is:

Caused by: javax.ssl.SSLHandshakeException:
           PKIX path building failed:
           sun.security.provider.certpath.SunCertPathBuilderException:
           unable to find valid certification path to requested target

I've tried several configurations and none worked.
first I've tried quarkus.tls.trust-all and the environment variable QUARKUS_TLS_TRUST_ALL=true

then I created the store with:

keytool -genkeypair -alias keystore -keyalg RSA -keysize 2048 -validity 7300 -keystore keystore.p12 -storetype PKCS12 -storepass somePassword

and added the configuration in yaml:

quarkus:
    tls:
        key-store:
            p12:
                path: /someAbsoultePath/keystore.p12
                password: somePassword

None of these worked. It's obvious that I don't understand the docs of how to set Quarkus with ES Client to accept self-signed cert from elasticsearch server.

  • java
  • elasticsearch
  • ssl
  • quarkus
Share Improve this question edited Feb 24 at 11:54 Aserre 5,0725 gold badges35 silver badges58 bronze badges asked Feb 24 at 10:13 ArmandoArmando 2171 silver badge13 bronze badges
Add a comment  | 

2 Answers 2

Reset to default 0

I've got similar issue recently when connecting Quarkus to my ELK instance with TLS. Quarkus application needs a truststore to validate ELK server's certificate.

And your error may be due to SSLContext error, as even if you configure quarkus.tls.trust-all=true, your elk client may bypass this config and set its own SSLContext, which needs a certificate validation. I can be wrong.

First, you need to set your Elasticsearch cluster following this documentation : https://www.elastic.co/guide/en/elasticsearch/reference/6.8/configuring-tls.html#node-certificates and retrieve the Elasticsearch certificate from your instance.

If needed, you can check with openssl if the certificate is valid:

openssl x509 -in /path/to/elk.crt -text -noout

Once it's done, import it into a trust-store (instead of the key-store) with keytool:

keytool -import -file elk.crt -alias elk -keystore truststore.p12 -storetype PKCS12 -storepass somePassword

Then update your Quarkus config:

quarkus:
  tls:
    trust-store:
      p12:
        path: /someAbsoultePath/truststore.p12
        password: somePassword

package com.dropchop.acme.app;

import io.quarkus.elasticsearch.restclient.lowlevel.ElasticsearchClientConfig;
import .apache.http.impl.nio.client.HttpAsyncClientBuilder;
import .apache.http.ssl.SSLContextBuilder;
import .apache.http.ssl.SSLContexts;
import .elasticsearch.client.RestClientBuilder;

import jakarta.enterprise.context.Dependent;
import javax.ssl.SSLContext;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyStore;

/**
 * @author Armando Ota <[email protected]> on 25. 02. 25.
 */
@ElasticsearchClientConfig
public class SSLContextConfigurator implements RestClientBuilder.HttpClientConfigCallback {
  @Override
  public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
    try {
      String keyStorePass = "somepassword";
      Path trustStorePath = Paths.get("/somePath/truststore.jks");
      KeyStore truststore = KeyStore.getInstance("JKS");
      try (InputStream is = Files.newInputStream(trustStorePath)) {
        truststore.load(is, keyStorePass.toCharArray());
      }
      SSLContextBuilder sslBuilder = SSLContexts.custom()
          .loadTrustMaterial(truststore, null);
      SSLContext sslContext = sslBuilder.build();
      httpClientBuilder.setSSLContext(sslContext);
    } catch (Exception e) {
      throw new RuntimeException(e);
    }

    return httpClientBuilder;
  }
}

This was the only way to make it work .

本文标签: javaQuakrus with elasticsearch client does not connect to https elasticsearch serverStack Overflow

版权声明:本文标题:java - Quakrus with elasticsearch client does not connect to https elasticsearch server - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741279035a2369900.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。