Curator can't connect to Elasticsearch via SSL

[christophe...@gmail.com]

Curator can't connect to Elasticsearch anymore since Searchgeard was installed.

Elasticsearch Version: 5.2.1

curator --version

curator, version 4.2.6

curator-config:

client:
  hosts:
    - 127.0.0.1
  port: 9200
  use_ssl: True
  certificate: root-ca.pem
#  client_cert: chain.pem
#  client_key: kirk.pem
  ssl_no_validate: False

Error when executing curator:

Traceback (most recent call last):
  File "/usr/local/bin/curator", line 11, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/curator/cli.py", line 166, in cli
    client = get_client(**client_args)
  File "/usr/local/lib/python2.7/dist-packages/curator/utils.py", line 603, in get_client
    'Error: {0}'.format(e)
elasticsearch.exceptions.ElasticsearchException: Unable to create client connection to Elasticsearch.  Error: ConnectionError(error return without exception set) caused by: SystemError(error return without exception set)

Is there a solution to fix this?

Other threads here and elastic forum provided no successful solution.

Thanks in advance,

Chris

[christophe...@gmail.com]

The command

curl --insecure -E ./chain.pem --key ./kirk.pem -XPUT 'https://localhost:9200/_snapshot/elk5-2-1-dev-backup/snapshot_1?wait_for_completion=true'

works fine, but working curator would be appreciated for excluding searchguard-index.

Restoring with explicitly listing all other indices would be pain.

[anthony...@actual-experience.com]

Are you using the snapshot user?

[christophe...@gmail.com]

I've created the role sg_snapshot_restore and mapped it to the admin user, but found no way to configure curator to use this account.

[anthony...@actual-experience.com]

There is a way.

In  your curator config, load it in as follows(You may have different SSL settings)

client:

  hosts:

    - elastic-master-01.x

    - elastic-master-02.x

  port: 9200

  url_prefix:

  use_ssl: True

  certificate: '/etc/elasticsearch/elastic-master-01.x/ca-bundle.pem'

  client_cert: '/etc/elasticsearch/elastic-master-01.x/elastic-admin.pem'

  client_key: '/etc/elasticsearch/elastic-master-01.x/elastic-admin.key.pem'

  ssl_no_validate: False (you can use true if you have ssl problems)

  http_auth: admin:x

  timeout: 30

  master_only: False

[anthony...@actual-experience.com]

0 2 * * * /usr/local/bin/curator --config /root/config.yml /root/action.yml

^ This is how you pass the config.

[christophe...@gmail.com]

http_auth was missing in my config, now it works.

Thank you very much!

[SG]

maybe this helps:
https://github.com/floragunncom/search-guard/issues/401#issuecomment-337063060

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/7c860a2f-42fe-48d4-a5e4-efcfa28cc52d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.