elasticsearch-js icon indicating copy to clipboard operation
elasticsearch-js copied to clipboard

Published 20 hours ago verified publisher icon elastic

Server certificate CA fingerprint does not match the value configured in caFingerprint

Open tao opened this issue 3 years ago • 5 comments

I tried to discuss this on the forum but haven't found any help yet.

I was trying to use the CA Fingerprint in my Client to connect to the servers but would randomly get error messages after some time:

{
    "error": "ConnectionError",
    "message": "Server certificate CA fingerprint does not match the value configured in caFingerprint",
}

It works and then it doesn't work, but I can't find anything that changes that might cause the issue or reproduce it easily because it's very random. I was able to overcome this by including the CA file instead of the CA Fingerprint and it seems to be working without issue now... but the CA Fingerprint would be much easier to add to an env variable.

Do you have any advice or any ideas on what might be causing this issue? It seems like restarting my proxy server did resolve the issue last time so I believe it might be related to the Javascript client now?

tao avatar May 24 '22 10:05 tao

Hello! Which version of the Client and Elasticsearch are you using? The client's code to get the certificate fingerprint is quite straightforward, so I doubt the issue might be in the Client itself. It would be very useful to be able to reproduce the issue in a controlled environment.

It seems like restarting my proxy server did resolve the issue last time so I believe it might be related to the Javascript client now?

Does this mean that there is a proxy between the client and Elasticsearch?

delvedor avatar May 24 '22 13:05 delvedor

Yip, there's a proxy but as I mentioned in the Forum it's using the example proxy you've provided.

I am using Elasticsearch 8.2 and Elasticsearch-js@^8.0.0 and 8.1.0 was the latest version installed. However, we have been testing it for a couple weeks so it's probably been tested with Elasticsearch v8 also.

It's very difficult to replicate so I'm not sure if we can create a controlled environment. It would happen randomly every couple of days, but I found it's more likely to happen if I opened the search page and left it for a while then tried to reconnect.

However, using the CA file now the error seems to have disappeared so that could be another clue that it's related to the Javascript Client?

tao avatar May 24 '22 14:05 tao

I faced with the same issue. For me it reproduces every several hours.

Maybe it can help: It reproduces as on the local docker based setup as on the remote server one. The remote setup has been deployed form archive and exposed by reverse proxy. Both Elasticsearch servers version is 8.2

On client side was tried versions @elastic/[email protected] and @elastic/[email protected]. The issue reproduces with the both versions.

n-nik avatar May 27 '22 14:05 n-nik

I have the same issue. Once in a while the mentioned error happens: Server certificate CA fingerprint does not match the value configured in caFingerprint

This is client init:

const client = new Client({
  node: "https://...:9200",
  auth: {
    apiKey: "...",
  },
  caFingerprint: "...",
  tls: {
    rejectUnauthorized: false,
  },
});
  • client version is @elastic/[email protected].
  • single node cluster
  • connecting using IP directly to the server - no reverse proxy

petrsiegl avatar Jul 26 '22 07:07 petrsiegl

I also facing the same issue

kudryashov13 avatar Oct 12 '22 06:10 kudryashov13