Quakrus with elasticsearch client does not connect to https elasticsearch server

Question

I've got a problem with Quarkus and elasticsearch client not connecting to my elasticsearch server with https (security) enabled.

The error I get is:

Caused by: javax.net.ssl.SSLHandshakeException:
           PKIX path building failed:
           sun.security.provider.certpath.SunCertPathBuilderException:
           unable to find valid certification path to requested target

I've tried several configurations and none worked.
first I've tried quarkus.tls.trust-all and the environment variable QUARKUS_TLS_TRUST_ALL=true

then I created the store with:

keytool -genkeypair -alias keystore -keyalg RSA -keysize 2048 -validity 7300 -keystore keystore.p12 -storetype PKCS12 -storepass somePassword

and added the configuration in yaml:

quarkus:
    tls:
        key-store:
            p12:
                path: /someAbsoultePath/keystore.p12
                password: somePassword

None of these worked. It's obvious that I don't understand the docs of how to set Quarkus with ES Client to accept self-signed cert from elasticsearch server.

Answer 1

package com.dropchop.acme.app;

import io.quarkus.elasticsearch.restclient.lowlevel.ElasticsearchClientConfig;
import org.apache.http.impl.nio.client.HttpAsyncClientBuilder;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.elasticsearch.client.RestClientBuilder;

import jakarta.enterprise.context.Dependent;
import javax.net.ssl.SSLContext;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyStore;

/**
 * @author Armando Ota <armando.ota@dropchop.com> on 25. 02. 25.
 */
@ElasticsearchClientConfig
public class SSLContextConfigurator implements RestClientBuilder.HttpClientConfigCallback {
  @Override
  public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
    try {
      String keyStorePass = "somepassword";
      Path trustStorePath = Paths.get("/somePath/truststore.jks");
      KeyStore truststore = KeyStore.getInstance("JKS");
      try (InputStream is = Files.newInputStream(trustStorePath)) {
        truststore.load(is, keyStorePass.toCharArray());
      }
      SSLContextBuilder sslBuilder = SSLContexts.custom()
          .loadTrustMaterial(truststore, null);
      SSLContext sslContext = sslBuilder.build();
      httpClientBuilder.setSSLContext(sslContext);
    } catch (Exception e) {
      throw new RuntimeException(e);
    }

    return httpClientBuilder;
  }
}

This was the only way to make it work .

Answer 2

I've got similar issue recently when connecting Quarkus to my ELK instance with TLS. Quarkus application needs a truststore to validate ELK server's certificate.

And your error may be due to SSLContext error, as even if you configure quarkus.tls.trust-all=true, your elk client may bypass this config and set its own SSLContext, which needs a certificate validation. I can be wrong.

First, you need to set your Elasticsearch cluster following this documentation : https://www.elastic.co/guide/en/elasticsearch/reference/6.8/configuring-tls.html#node-certificates and retrieve the Elasticsearch certificate from your instance.

If needed, you can check with openssl if the certificate is valid:

openssl x509 -in /path/to/elk.crt -text -noout

Once it's done, import it into a trust-store (instead of the key-store) with keytool:

keytool -import -file elk.crt -alias elk -keystore truststore.p12 -storetype PKCS12 -storepass somePassword

Then update your Quarkus config:

quarkus:
  tls:
    trust-store:
      p12:
        path: /someAbsoultePath/truststore.p12
        password: somePassword