Connect Camunda optimize docker with "https" ElasticSearch

I am trying to connect Optimize docker image with URL of ElasticSearch but it is HTTPS and I am getting ERROR.
LogFile below:
docker-optimize-elasticsearch.txt (5.5 KB)

Config yaml below:

Hi @hahi!

Could you double check that you have adjusted the security configuration settings that define the connection to ES? There’s also this section in the docs about securing your Elasticsearch here, though it sounds like you’ve probably already taken care of the steps detailed there.

2 Likes

Is [ es.security.ssl.enabled: “true” ] this option enough to force Optimize to use HTTPS? because at the moment is using http but the ElasticSearch that I have is HTTPS and that is why it is not working

“Which is the correct way to use a ConfigMap in Kubernetes for the Optimize Image? As a volume Mount or with envFrom?”

apiVersion: v1
kind: ConfigMap
metadata:
name: eqwew-ewqeqw-eqweqw-eqweqw-map
labels:
app: ewqeqw-eqweq-optimize
appl: eqweqw-eqweqweqw-optimize-e1
env: e1
data:
es.settings.index.prefix: “e1-ewqeqweqw-optimize”
es.security.ssl.enabled: “true”

Hi @hahi!

Thanks for checking! I believe you should use a volume mount for your configMap - now that you mention it I noticed you are using envFrom in the screenshot above, maybe that’s the issue here.
Could you try using a volume mounted configMap with the data part looking more like this:

(...)
data:
 environment-config.yaml: |
    es:
      settings:
        index:
          prefix: 'e1-ewqeqweqw-optimize'
      security:
        ssl:
          enabled: true

Let me know if that works!

1 Like

Hi @Helene , yes this worked perfect but now I am getting some certificate problem, do you have any ideas? I saw what elasticsearch.yaml has as a certificate and I added the same in optimize for the configurations of ES:

Starting Camunda Optimize 3.3.0…
13:38:11.455 [main] INFO org.eclipse.jetty.util.log - Logging initialized @1180ms to org.eclipse.jetty.util.log.Slf4jLog
13:38:11.637 [main] INFO org.eclipse.jetty.server.Server - jetty-9.4.35.v20201120; built: 2020-11-20T21:17:03.964Z; git: bdc54
f03a5e0a7e280fab27f55c3c75ee8da89fb; jvm 11.0.9+11-alpine-r0
13:38:11.665 [main] INFO org.eclipse.jetty.server.session - DefaultSessionIdManager workerName=node0
13:38:11.665 [main] INFO org.eclipse.jetty.server.session - No SessionScavenger set, using defaults
13:38:11.667 [main] INFO org.eclipse.jetty.server.session - node0 Scavenging every 660000ms
13:38:11.673 [main] INFO o.e.j.s.handler.ContextHandler.ROOT - Initializing Spring root WebApplicationContext
13:38:11.682 [main] INFO o.s.web.context.ContextLoader - Root WebApplicationContext: initialization started
13:38:13.126 [main] INFO o.c.o.s.e.OptimizeElasticsearchClientFactory - Initializing Elasticsearch rest client…
13:38:13.161 [main] DEBUG o.c.o.u.e.ElasticsearchHighLevelRestClientBuilder - Found certificate: [

]
13:38:13.353 [main] DEBUG o.c.o.u.e.ElasticsearchHighLevelRestClientBuilder - Elasticsearch username and password not provided,
skipping connection credential setup.
13:38:13.756 [main] ERROR o.c.o.s.e.OptimizeElasticsearchClientFactory - Failed getting number of cluster nodes.
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: una
ble to find valid certification path to requested target
at org.elasticsearch.client.RestClient.extractAndWrapCause(RestClient.java:860)
at org.elasticsearch.client.RestClient.performRequest(RestClient.java:275)
at org.elasticsearch.client.RestClient.performRequest(RestClient.java:262)
at org.elasticsearch.client.RestHighLevelClient.internalPerformRequest(RestHighLevelClient.java:1628)
at org.elasticsearch.client.RestHighLevelClient.performRequest(RestHighLevelClient.java:1598)
at org.elasticsearch.client.RestHighLevelClient.performRequestAndParseEntity(RestHighLevelClient.java:1568)
at org.elasticsearch.client.ClusterClient.health(ClusterClient.java:130)
at org.camunda.optimize.service.es.OptimizeElasticsearchClientFactory.getNumberOfClusterNodes(OptimizeElasticsearchClie
ntFactory.java:68)

Hi @hahi,

Do you know if your certificate is self signed or not? It’s hard to tell what went wrong based on the logs, lets try adding some ssl debug output. You can do that by setting -Djavax.net.debug=all (this) with the environment variable OPTIMIZE_JAVA_OPTS.
However, we will still need to keep the original value of OPTIMIZE_JAVA_OPTS (which by default is "-Xms1024m -Xmx1024m -XX:MetaspaceSize=256m -XX:MaxMetaspaceSize=256m"), so the result would be:

OPTIMIZE_JAVA_OPTS= "-Xms2g -Xmx2g -XX:MaxMetaspaceSize=256m -Djavax.net.debug=all"

2 Likes

@Helene
quote=“Helene, post:7, topic:25192”]
ever, we will still need to keep the original value of
[/quote]

Hi Helen thank you very much for your help I am still trying to make this thing work… Well I added OPTIMIZE_JAVA_OPTS but I not the same way as you wrote but I am see some more data now, I will try the way you wrote to see what will be the output in Kubernates. Thank you very much once again, it is extremely helpfull! I did it this way see the attached photo.

image

@Helene
Hi Helene I checked the yaml file von ES and it has this stuff inside I am not sure if this helps you:

Hi @hahi,

Can you try adding what’s in ...ssl.certificate_authorities to the Optimize ES security config settings es.security.ssl.certificate_authorities ?
If that doesn’t change things hopefully the ssl debug will give us more information.

1 Like

@Helene
I tried already earlier to add es.security.ssl.certificate_authorities and the output was the same. I will wait till Monday because there is no one to accept my Pull Request. When I add the Debug as you mention I will check the logs.

Thank you very much, amazing help!

Regards,

1 Like

Ah fair enough, let’s see what the debug says on Monday then :slight_smile: Have a nice weekend!

1 Like

@Helene I got the logs… but logs_with_ssl.txt (83.5 KB)

I cant find where the problem is… Do you have any ideas?

Morning @hahi,

Unfortunately those logs don’t really give me a much better idea either, is this the log with or without the es.security.ssl.certificate_authorities in the Optimize config?
I also noticed in the screenshot above that you are using .pem files, could you check that the relevant information has been imported correctly to your keystore/truststore?

We think that the problem is in the HandShake … we find the certificate it is shown in the logs I deleted it here of course I dont want to share it with the whole world :smiley: but because we use Kubernates and maybe there is some problem with the handshake and we contacted security guy to check the logs and see if this is really the problem, I will post the answer at the end if we find it today.
@Helene
javax.net.ssl|DEBUG|15|I/O dispatcher 1|2021-02-01 09:02:20.211 UTC|HandshakeContext.java:297|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLS11

@Helene
If all good the yaml should see this attributes right I am not sure if they are found like that because they are white color but not orange like data: and environment-fonfig.yaml: what do you think?
image

Looks fine to me! I don’t think the colouring indicates any issues here, my IntelliJ also uses orange for the configmap keys data/environment-config.yaml and white for the values.

1 Like

@Helene

I managed to connect C Engine with C Optimize and ES but now when I try to login into Optimize I am getting this error, have you an idea why:
main.4c33b849.chunk.js:6 GET https://trtret-rewrwerew-optimize.e1-ztnet-a.ztet.ch/api/onboarding/whatsnew net::ERR_ABORTED 401
main.4c33b849.chunk.js:6 WebSocket connection to ‘wss://trtret-rewrwerew-optimize.e1-ztnet-a.ztet.ch/ws/status’ failed: WebSocket is closed before the connection is established.

Hey @hahi, glad to hear you could connect now!
Out of interest, was this an issue with your Optimize config or did it turn out to be something unrelated?

As for the error message, I think I need some more context. Can you access the Optimize login page and this prevents you from logging in/using Optimize? Or can you login fine?
If you could post the complete logs that would also be helpful, cheers!