Elasticsearch - Skip certificate validation

11qu1d · June 19, 2024, 1:39am

Hi, I have already raised this issue on Github. Just posting here too for visibility since i didn’t get any response there.

We are facing an issue with connecting to Elasticsearch. Our ES cluster is currently using self-signed certificates to secure the connection via HTTPS. This causes issue when seafevents tries to connect with below error:

06/16/2024 23:05:41 [ERROR] seafes:158 start_index_local: Index process init error: TLS error caused by: TlsError(TLS error caused by: SSLError([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1007))).

I have tried using the below in seafevents.conf but still getting the same error:

[INDEX FILES]
.
.
.
verify_certs = false
cafile = /shared/seafile/conf/es_cacert.pem

I am not sure if these are even used in the code. It should be a relatively easy fix to allow disabling cert verification and expose it as a config parameter.

Version details below:
Seafile version: 11.0.7 Pro (Docker - HA cluster)

Thanks!

daniel.pan · June 19, 2024, 1:45am

Currently the only supported options related to certification with ES are scheme = https and cafile = path/to/cert.pem

Maybe you forgot to add scheme = https in the configuration file.

11qu1d · June 19, 2024, 9:53pm

Thank you, for you suggestion. Turns out there was an issue with the PEM file which i have now fixed.

Would it be possible in the future to have a parameter to skip certificate validation? This would save us some effort of inserting the CA for future setups.

Thanks!

daniel.pan · June 20, 2024, 1:29am

We don’t have a plan to add such a feature.