NOTE: You are looking at documentation for an older release. For the latest information, see the current release documentation.
Working with certificates
editWorking with certificates
editIf you’ve enabled SSL on Elasticsearch with Elastic Stack Security features, or through a proxy in front of Elasticsearch, and the Certificate Authority (CA) that generated the certificate is trusted by the machine running the client code, there should be nothing for you to do to talk to the cluster over HTTPS with the client.
If you are using your own CA which is not trusted however, .NET won’t allow you to make HTTPS calls to that endpoint by default.
With .NET Framework, you can pre-empt this though a custom validation callback on the global static
ServicePointManager.ServerCertificateValidationCallback
. Most examples you will find doing this this will simply return true
from the
validation callback and merrily whistle off into the sunset. This is not advisable as it allows any HTTPS traffic through in the
current AppDomain
without any validation. Here’s a concrete example:
Imagine you deploy a web application that talks to Elasticsearch over HTTPS using NEST, and also uses some third party SOAP/WSDL endpoint. By setting the following
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, errors) => true
validation will not be performed for HTTPS connections to both Elasticsearch and that external web service.
Validation configuration
editIt’s possible to also set a callback per service endpoint with .NET, and both Elasticsearch.NET and NEST expose this through
connection settings (ConnectionConfiguration
with Elasticsearch.Net and ConnectionSettings
with NEST). You can do
your own validation in that handler or use one of the baked in handlers that we ship with out of the box, on the static class
CertificateValidations
.
The two most basic ones are AllowAll
and DenyAll
, which accept or deny all SSL traffic to our nodes, respectively. Here’s
a couple of examples.
Denying all certificate validation
editHere we set up ConnectionSettings
with a validation callback that denies all certificate validation
public class DenyAllCertificatesCluster : SslAndKpiXPackCluster { protected override ConnectionSettings ConnectionSettings(ConnectionSettings s) => s .ServerCertificateValidationCallback((o, certificate, chain, errors) => false) .ServerCertificateValidationCallback(CertificateValidations.DenyAll); }
If you go for a vendor generated SSL certificate, it’s common practice for the certificate to include the CA and any intermediary CAs
in the certificate chain. When using such a certificate, use CertificateValidations.AuthorityPartOfChain
which validates that
the local CA certificate is part of the chain that was used to generate the servers key.