fulltextsearch_elasticsearch icon indicating copy to clipboard operation
fulltextsearch_elasticsearch copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

Elasticsearch with https

Open janis91 opened this issue 6 years ago • 6 comments

It would be nice, if I could use a selfsigned certificate with readonlyrest and connect to the elasticsearch over https. But after a test this doesn't succeed. I guess something like an ignoring option for selfsigned certificates has to be activated. But I am not sure. Do you have any tips?

janis91 avatar Jul 16 '19 06:07 janis91

I guess the Elastic Client could be created with some options, such that it verifies with a given pem string or similar.

janis91 avatar Jul 16 '19 11:07 janis91

In order to get SSL encryption in front of Elasticsearch, I'm using a (dockerized) reverse proxy to handle SSL in front of a (dockerized) nextcloud instance + (dockerized) Elasticsearch cluster.

It works as expected, granted one provides an explicit :443 port in Nextcloud settings: https://elasticsearch.yourdomain.tld:443.

Food for thoughts :pray:

chikamichi avatar May 19 '20 01:05 chikamichi

Are there any news on that issue? Since Elasticstack 8.0 installs now automatically with HTTPS enabled, it's getting more of an issue now. If I try to run sudo -u www-data php ./occ fulltextsearch:index against my ES-instance running on automatically generated self-signed certificate, I get the following error:

In StaticNoPingConnectionPool.php line 64:

  No alive nodes found in your cluster

Especially because the message is totally misleading. The stack is up and running fine.

linuzer avatar Feb 14 '22 21:02 linuzer

I have just tried to enable full text search on nextcloud with the most recent elasticsearch version 8.0.0 and have the same problem. Just adding some information.

I am running docker images with an elasticsearch container I added to the standard docker-compose.yml, like this:

elasticsearch:
    container_name: elasticsearch
    image: docker.elastic.co/elasticsearch/elasticsearch:${ELASTICSEARCH_VERSION}
    restart: always
    environment:
      - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
    ports:
      - 127.0.0.1:9200:9200
    volumes:
      - eshtml:/var/www/html
      - esdata:/usr/share/elasticsearch/data

I do not want elasicsearch to be accessible from the outside.

Elasticsearch creates self-signed certificates in this setup, so I use this call: curl -u elastic:*** --insecure -X GET "https://localhost:9200/_cat/nodes?v" which works:

ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name 172.21.0.4 3 98 2 0.33 0.47 0.92 cdfhilmrstw * fe156b5c4fd1

While using http: curl -u elastic:*** --insecure -X GET "http://localhost:9200/_cat/nodes?v" returns:

curl: (52) Empty reply from server

Using both the http and the https-URL in the full text search configuration of nextcloud and running: docker-compose exec -u www-data app php occ fulltextsearch:test always returns:

No alive nodes found in your cluster.

meinrecht avatar Feb 17 '22 18:02 meinrecht

I have just tried to enable full text search on nextcloud with the most recent elasticsearch version 8.0.0 and have the same problem. Just adding some information.

I am running docker images with an elasticsearch container I added to the standard docker-compose.yml, like this:

elasticsearch:
    container_name: elasticsearch
    image: docker.elastic.co/elasticsearch/elasticsearch:${ELASTICSEARCH_VERSION}
    restart: always
    environment:
      - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
    ports:
      - 127.0.0.1:9200:9200
    volumes:
      - eshtml:/var/www/html
      - esdata:/usr/share/elasticsearch/data

I want elasicsearch only to be accessible from the other containers of the service. Therefore I also had to change the address of the servlet in the nextcloud fulltext search configuration from localhost to: http://elastic:***@elasticsearch:9200

Elasticsearch creates self-signed certificates in this setup, so I use this call: curl -u elastic:*** --insecure -X GET "https://localhost:9200/_cat/nodes?v" which works:

ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name 172.21.0.4 3 98 2 0.33 0.47 0.92 cdfhilmrstw * fe156b5c4fd1

While using http: curl -u elastic:*** --insecure -X GET "http://localhost:9200/_cat/nodes?v" returns:

curl: (52) Empty reply from server

Using both the http and the https-URL in the full text search configuration of nextcloud and running: docker-compose exec -u www-data app php occ fulltextsearch:test always returns:

No alive nodes found in your cluster.

I therefore disabled tls in the elasticsearch configuration - a solution that has been used by others would be to access the encrypted communication via a proxy and disable the verification of the certificate.

It would be helpful, if nextcloud allowed the use of self-signed certificates for connections to localhost.

meinrecht avatar Feb 18 '22 10:02 meinrecht

@janis91 Why not just use Let's Encrypt instead of a self-signed certificate?

devnoname120 avatar May 19 '23 02:05 devnoname120