Re: [search-guard group] Elasticsearch-PHP Configuration
97 views
Skip to first unread message
SG
Sep 19, 2016, 3:36:54 PM9/19/16
to search...@googlegroups.com
see the note on libcurl: https://www.elastic.co/guide/en/elasticsearch/client/php-api/current/_security.html
Make sure libcurl (on you PHP server) is compiled with TLSv1.1 or TLSv1.2 support and verify that you can so something like this:
curl -Ss --tlsv1.2 --cacert search-guard-ssl/example-pki-scripts/ca/root-ca.pem https://localhost:9200 (on PHP server)
If this does not work pls post the output of "curl -V" and "curl -help | grep -i tls" (on PHP server)
This should look like:
search-guard git:(master) ✗ curl -V
curl 7.49.1 (x86_64-apple-darwin14.5.0) libcurl/7.49.1 OpenSSL/1.0.2h zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets
search-guard git:(master) ✗ curl -help | grep -i tls
--false-start Enable TLS False Start.
--ftp-ssl-control Require SSL/TLS for FTP login, clear for transfer (F)
--no-alpn Disable the ALPN TLS extension (H)
--no-npn Disable the NPN TLS extension (H)
--ssl Try SSL/TLS (FTP, IMAP, POP3, SMTP)
--ssl-reqd Require SSL/TLS (FTP, IMAP, POP3, SMTP)
-1, --tlsv1 Use >= TLSv1 (SSL)
--tlsv1.0 Use TLSv1.0 (SSL)
--tlsv1.1 Use TLSv1.1 (SSL)
--tlsv1.2 Use TLSv1.2 (SSL)
--tlsuser USER TLS username
--tlspassword STRING TLS password
--tlsauthtype STRING TLS authentication type (default: SRP)
> Am 31.08.2016 um 05:40 schrieb Bernie Carolan <bernie....@gmail.com>:
>
> Have installed the latest SearchGuard-SSL and everything works fine, Logstash, Kibana etc.
>
> I would like to access the ES cluster using the Elasticsearch-PHP 2.0 API. Outlined in the documentation is the following setup:
>
> $hosts = ['https://localhost:9200'];
>
> $myCert
> = 'path/to/cacert.pem';
>
>
> $client
> = ClientBuilder::create()
>
>
> ->setHosts($hosts)
>
>
> ->setSSLVerification($myCert)
>
>
> ->build();
>
> I've tried setting the certificate to the generated root-ca.pem that works with Kibana, but I get the following error from SG:
>
> SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
>
> Is there something else that has to be configured?
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f8e2d84d-93d0-4108-b458-4b80c85b2390%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Make sure libcurl (on you PHP server) is compiled with TLSv1.1 or TLSv1.2 support and verify that you can so something like this:
curl -Ss --tlsv1.2 --cacert search-guard-ssl/example-pki-scripts/ca/root-ca.pem https://localhost:9200 (on PHP server)
If this does not work pls post the output of "curl -V" and "curl -help | grep -i tls" (on PHP server)
This should look like:
search-guard git:(master) ✗ curl -V
curl 7.49.1 (x86_64-apple-darwin14.5.0) libcurl/7.49.1 OpenSSL/1.0.2h zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets
search-guard git:(master) ✗ curl -help | grep -i tls
--false-start Enable TLS False Start.
--ftp-ssl-control Require SSL/TLS for FTP login, clear for transfer (F)
--no-alpn Disable the ALPN TLS extension (H)
--no-npn Disable the NPN TLS extension (H)
--ssl Try SSL/TLS (FTP, IMAP, POP3, SMTP)
--ssl-reqd Require SSL/TLS (FTP, IMAP, POP3, SMTP)
-1, --tlsv1 Use >= TLSv1 (SSL)
--tlsv1.0 Use TLSv1.0 (SSL)
--tlsv1.1 Use TLSv1.1 (SSL)
--tlsv1.2 Use TLSv1.2 (SSL)
--tlsuser USER TLS username
--tlspassword STRING TLS password
--tlsauthtype STRING TLS authentication type (default: SRP)
> Am 31.08.2016 um 05:40 schrieb Bernie Carolan <bernie....@gmail.com>:
>
> Have installed the latest SearchGuard-SSL and everything works fine, Logstash, Kibana etc.
>
> I would like to access the ES cluster using the Elasticsearch-PHP 2.0 API. Outlined in the documentation is the following setup:
>
> $hosts = ['https://localhost:9200'];
>
> $myCert
> = 'path/to/cacert.pem';
>
>
> $client
> = ClientBuilder::create()
>
>
> ->setHosts($hosts)
>
>
> ->setSSLVerification($myCert)
>
>
> ->build();
>
> I've tried setting the certificate to the generated root-ca.pem that works with Kibana, but I get the following error from SG:
>
> SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
>
> Is there something else that has to be configured?
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f8e2d84d-93d0-4108-b458-4b80c85b2390%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages