Http client did not trust this server s certificate closing connection – How to solve this Elasticsearch error

Opster Team

Aug-23, Version: 6.8-8.9

Briefly, this error occurs when the Elasticsearch HTTP client cannot verify the SSL/TLS certificate of the server it’s trying to connect to. This could be due to an expired certificate, a self-signed certificate, or a certificate from an untrusted source. To resolve this issue, you can: 1) Update the server’s certificate with a valid one from a trusted Certificate Authority. 2) If using a self-signed certificate, ensure it’s properly imported into the client’s truststore. 3) Check the client’s SSL/TLS configuration to ensure it’s set to trust the server’s certificate.

This guide will help you check for common problems that cause the log ” http client did not trust this server’s certificate; closing connection {} ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: client.

 
 

client

Overview

Any application that interfaces with Elasticsearch to index, update or search data, or to monitor and maintain Elasticsearch using various APIs can be considered a client

It is very important to configure clients properly in order to ensure optimum use of Elasticsearch resources.

Examples

There are many open-source client applications for monitoring, alerting and visualization, such as ElasticHQ, Elastalerts, and Grafana to name a few. On top of Elastic client applications such as filebeat, metricbeat, logstash and kibana that have all been designed to integrate with Elasticsearch.

However it is frequently necessary to create your own client application to interface with Elasticsearch. Below is a simple example of the python client (taken from the client documentation):

from datetime import datetime
from elasticsearch import Elasticsearch
es = Elasticsearch()

doc = {
    'author': 'Testing',
    'text': 'Elasticsearch: cool. bonsai cool.',
    'timestamp': datetime.now(),
}
res = es.index(index="test-index", doc_type='tweet', id=1, body=doc)
print(res['result'])

res = es.get(index="test-index", doc_type='tweet', id=1)
print(res['_source'])

es.indices.refresh(index="test-index")

res = es.search(index="test-index", body={"query": {"match_all": {}}})
print("Got %d Hits:" % res['hits']['total']['value'])
for hit in res['hits']['hits']:
    print("%(timestamp)s %(author)s: %(text)s" % hit["_source"])

All of the official Elasticsearch clients follow a similar structure, working as light wrappers around the Elasticsearch rest API, so if you are familiar with Elasticsearch query structure they are usually quite straightforward to implement.

Notes and Good Things to Know

Use official Elasticsearch libraries.

Although it is possible to connect with Elasticsearch using any HTTP method, such as a curl request, the official Elasticsearch libraries have been designed to properly implement connection pooling and keep-alives.   

Official Elasticsearch clients are available for java, javascript, Perl, PHP, python, ruby and .NET. Many other programming languages are supported by community versions.

Keep your Elasticsearch version and client versions in sync.

To avoid surprises, always keep your client versions in line with the Elasticsearch version you are using. Always test clients with Elasticsearch since even minor version upgrades can cause issues due to dependencies or a need for code changes. 

Load balance across appropriate nodes.

Make sure that the client properly load balances across all of the appropriate nodes in the cluster.  In small clusters this will normally mean only across data nodes (never master nodes), or in larger clusters, all dedicated coordinating nodes (if implemented) .

Ensure that the Elasticsearch application properly handles exceptions.

In the case of Elasticsearch being unable to cope with the volume of requests, designing a client application to handle this gracefully (such as through some sort of queueing mechanism) will be better than simply inundating a struggling cluster with repeated requests.

 
 

 
 

Log Context

Log “http client did not trust this server’s certificate; closing connection {}” classname is Netty4HttpServerTransport.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :

            CloseableChannel.closeChannel(channel);
        } else if (SSLExceptionHelper.isInsufficientBufferRemainingException(cause)) {
            logger.debug("connection {} closed abruptly"; channel);
            CloseableChannel.closeChannel(channel);
        } else if (SSLExceptionHelper.isReceivedCertificateUnknownException(cause)) {
            logger.warn("http client did not trust this server's certificate; closing connection {}"; channel);
            CloseableChannel.closeChannel(channel);
        } else if (cause instanceof ReadTimeoutException) {
            super.onException(channel; new HttpReadTimeoutException(readTimeoutMillis; cause));
        } else {
            super.onException(channel; cause);

 

 [ratemypost]

Related Articles

Back to all articles
Opster
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.