django-elasticsearch-dsl icon indicating copy to clipboard operation
django-elasticsearch-dsl copied to clipboard
verified publisher icon django-es

Addition of Production/TLS Elasticsearch connection configuration to README

Open mahaffey opened this issue 7 years ago • 2 comments

wanted to add some clarity here!

mahaffey avatar Jun 21 '18 23:06 mahaffey

@mahaffey, Thank you for the work you've done on this, I am confused with the ssl certificate file write up piece,

/commented note/ if you are using a self-signed or unrecognized certificate authority: 'ca_certs': <../../certificate-authority.crt>,

as <../../certificate-authority.crt> throws an invalid syntax error when I put it into settings.py, also I'm assuming <../../certificate-authority.crt> is the cert file path?

drfrink avatar Jun 17 '19 05:06 drfrink

@drfrink

<../../certificate-authority.crt> represents the relative file paths to your certificate chain.

If you are using something like "LetsEncrypt" to generate a self-signed cert, you should follow the docs on where to find the ca certs for your self-signed cert provider. If you are using an SSL provider like GoDaddy or Comodo, you should be able to find the CA Certs from their documentation as well. You can then download them and use those as the path to ca_certs.

That said, these ca certs from a known provider should be already known by urllib (https://github.com/urllib3/urllib3/blob/25add2a0bac43823a4a5ef9217578a2cf5bcfc69/src/urllib3/util/ssl_.py#L344), however, you can still override them if need be.

Run this command in your terminal to find your default ca certs location (the one that urllib should be using): curl-config --ca

Do not leave the value to 'ca_certs' as <../../certificate-authority.crt>. That is an invalid path which will lead to errors.

From the lower level es python wrapper here: https://elasticsearch-py.readthedocs.io/en/master/connection.html

ca_certs – optional path to CA bundle. See https://urllib3.readthedocs.io/en/latest/security.html#using-certifi-with-urllib3 for instructions how to get default set

Then from the urllib3 (which is a dependency of elasticsearch-py) docs:

Custom SSL certificates
Instead of using certifi you can provide your own certificate authority bundle. This is useful for cases where you’ve generated your own certificates or when you’re using a private certificate authority. Just provide the full path to the certificate bundle when creating a PoolManager:

>>> import urllib3
>>> http = urllib3.PoolManager(
...     cert_reqs='CERT_REQUIRED',
...     ca_certs='/path/to/your/certificate_bundle')
When you specify your own certificate bundle only requests that can be verified with that bundle will succeed. It’s recommended to use a separate PoolManager to make requests to URLs that do not need the custom certificate.

mahaffey avatar Jun 19 '19 23:06 mahaffey