Hi ,
How to connect the Zeebe Open search exporter to a Open search instance over SSL configuration using root certificate of ES?
It appears that the ElasticsearchExporter usesTrustAllStrategy that accepts all certificates as trusted.
Code Snippet:
if (allowAllSelfSignedCertificates)
try {
SSLContext sslContext = SSLContextBuilder.create().loadTrustMaterial(null, (TrustStrategy)new TrustAllStrategy()).build();
builder.setSSLContext(sslContext);
}
also it does above thing only if allowAllSelfSignedCertificates is true.
How to pass enable/pass the allowAllSelfSignedCertificates variable when using Open Search Exporter ?
Thanks
Rahul
Hi @rahulmca.rns - I don’t think there’s a way to override that variable. As noted in the source, it’s really only meant for some limited testing purposes and isn’t meant to be a “ready for production” variable. Are you running a local instance of OpenSearch with a self-signed certificate?
Hi @nathan.loding
I am trying to export zeebe records to a local open search instance over ssl with root certificate but i am not able to connect zeebe exporter to local instance of open search.
Can you please share your views here?
Thanks
Rahul
Hi @rahulmca.rns - I personally don’t have much experience with OpenSearch, so I’ve asked around to see if anyone has some thoughts. I assume you’ve tried the exporter and are running into errors: can you share what errors you are getting? I’ll let you know what I find out!
Hi @nathan.loding
I am trying to use open search exporter to export zeebe incident records to local open search instance which running over https.
But open search exporter is not allowing to connect to local open search instance over https protocol (with root cert).
Please advice
Thanks
Rahul
Can you share what errors are occurring when the exporter tries to connect to OpenSearch?
Hi @nathan.loding
Please find the errors we are getting when connecting over https.
Caused by: java.io.IOException: Host name ‘opensearch-cluster-master.opensearch.svc.cluster.local’ does not match the certificate subject provided by the peer (CN=node-0.example.com, OU=node, O=node, L=test, DC=de)
at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:958) ~[opensearch-rest-client-2.5.0.jar:2.5.0]
at org.opensearch.client.RestClient.performRequest(RestClient.java:332) ~[opensearch-rest-client-2.5.0.jar:2.5.0]
at org.opensearch.client.RestClient.performRequest(RestClient.java:320) ~[opensearch-rest-client-2.5.0.jar:2.5.0]
at io.camunda.zeebe.exporter.opensearch.OpensearchClient.sendRequest(OpensearchClient.java:204) ~[zeebe-opensearch-exporter-8.3.0.jar:8.3.0]
at io.camunda.zeebe.exporter.opensearch.OpensearchClient.putComponentTemplate(OpensearchClient.java:196) ~[zeebe-opensearch-exporter-8.3.0.jar:8.3.0]
… 17 more
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name ‘opensearch-cluster-master.opensearch.svc.cluster.local’ does not match the certificate subject provided by the peer (CN=node-0.example.com, OU=node, O=node, L=test, DC=de)
Hi @rahulmca.rns - I don’t believe this is an issue with accepting your root certificate; rather the certificate issued to OpenSearch is invalid because it doesn’t match the domain. I suspect that if you issued a certificate for opensearch-cluster-master.opensearch.svc.cluster.local rather than node-0.example.com that it would work. Alternatively, since the certificate is invalid for that host anyway, disable SSL locally.
I don’t think Camunda wants to introduce an override into these packages that says “accept invalid certificates” because that’s a big potential vulnerability. However, if you issue a valid certificate, signed by your local root certificate, and it still isn’t working, that’s a different situation.