Details
-
Improvement
-
Resolution: Fixed
-
High
-
3.1.2
-
None
Description
Right now it's impossible to use a self-signed CA certificate in ezplatform_elastic_search_engine.yaml config as the SSL cert and key options are used only for CURLOPT_SSLCERT and CURLOPT_SSLKEY flags in curl when creating Elastic builder.
In order to fix this problem this method should be refactored and allow to set the CA bundle (so string with the path to CA .pem file) as it's later being built using this property which allow not just booleans but string as well (so path to CA certificate).
Steps to reproduce:
1. Clean installation of eZ Platform v3.1
2. Install elasticsearch
3. Configure TLS for HTTP requests - https://www.elastic.co/guide/en/elasticsearch/reference/7.9/configuring-tls.html#tls-http - described below:
4. Depending on the OS used you have to use elasticsearch-certutil http run from the elasticsearch bin directory: generate CSR -> no, use an existing CA -> no, certificate per node -> no, chmod 660 on http.p12 certificate and move it to the main elasticsearch directory, then append to elasticsearch.yml the following entries:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "http.p12"
5. Restart elasticsearch and try to access https://localhost:9200/_ssl/certificates with curl:
curl https://localhost:9200/_ssl/certificates
6. You should get the following error:
curl: (60) SSL certificate problem: self signed certificate in certificate chain
which is fine.
7. Copy .pem certificate to the main elasticsearch directory (it should have been located in kibana folder which was generated with elasticsearch-certutil.
8. Run:
curl --cacert elasticsearch-ca.pem https://localhost:9200/_ssl/certificates?pretty
9. You should see JSON with certificates - it means our self signed CA certificate works and we can use it in eZ Platform.
10. Try to access eZ Platform, you should get the following exception, which is fine:
NoNodesAvailableException HTTP 500 Internal Server Error No alive nodes found in your cluster
11. Set elasticsearch url with https
# eZ Platform Elastic Search Engine
ELASTICSEARCH_DSN=https://localhost:9200
in your .env file.
12. Copy certificate from 7. step to a directory readable by eZ Platform and configure ezplatform_elastic_search_engine.yaml - it should look almost the same as snippet below:
parameters: elasticsearch_dsn: "%env(ELASTICSEARCH_DSN)%" ezplatform_elastic_search_engine: connections: default: hosts: - "%elasticsearch_dsn%" debug: true trace: true ssl: cert: path: '/var/www/ezEE312/elasticsearch-ca.pem' pass: ~
13. Refresh eZ Platform
Result:
You get the error from step 10 - explained here:
Expected result:
You should still see the exception, but with the configuration option explained below you should see no exception.
Note for QA:
After the fix you can use
ssl:
ca_cert:
path: '/var/www/ezEE312/elasticsearch-ca.pem'