- .NET Clients: other versions:
- Introduction
- Installation
- Breaking changes
- API Conventions
- Elasticsearch.Net - Low level client
- NEST - High level client
- Troubleshooting
- Search
- Query DSL
- Full text queries
- Term level queries
- Exists Query Usage
- Fuzzy Date Query Usage
- Fuzzy Numeric Query Usage
- Fuzzy Query Usage
- Ids Query Usage
- Prefix Query Usage
- Date Range Query Usage
- Long Range Query Usage
- Numeric Range Query Usage
- Term Range Query Usage
- Regexp Query Usage
- Term Query Usage
- Terms Set Query Usage
- Terms List Query Usage
- Terms Lookup Query Usage
- Terms Query Usage
- Wildcard Query Usage
- Compound queries
- Joining queries
- Geo queries
- Specialized queries
- Span queries
- NEST specific queries
- Aggregations
- Metric Aggregations
- Average Aggregation Usage
- Boxplot Aggregation Usage
- Cardinality Aggregation Usage
- Extended Stats Aggregation Usage
- Geo Bounds Aggregation Usage
- Geo Centroid Aggregation Usage
- Geo Line Aggregation Usage
- Max Aggregation Usage
- Median Absolute Deviation Aggregation Usage
- Min Aggregation Usage
- Percentile Ranks Aggregation Usage
- Percentiles Aggregation Usage
- Rate Aggregation Usage
- Scripted Metric Aggregation Usage
- Stats Aggregation Usage
- String Stats Aggregation Usage
- Sum Aggregation Usage
- T Test Aggregation Usage
- Top Hits Aggregation Usage
- Top Metrics Aggregation Usage
- Value Count Aggregation Usage
- Weighted Average Aggregation Usage
- Bucket Aggregations
- Adjacency Matrix Usage
- Auto Date Histogram Aggregation Usage
- Children Aggregation Usage
- Composite Aggregation Usage
- Date Histogram Aggregation Usage
- Date Range Aggregation Usage
- Diversified Sampler Aggregation Usage
- Filter Aggregation Usage
- Filters Aggregation Usage
- Geo Distance Aggregation Usage
- Geo Hash Grid Aggregation Usage
- Geo Tile Grid Aggregation Usage
- Global Aggregation Usage
- Histogram Aggregation Usage
- Ip Range Aggregation Usage
- Missing Aggregation Usage
- Multi Terms Aggregation Usage
- Nested Aggregation Usage
- Parent Aggregation Usage
- Range Aggregation Usage
- Rare Terms Aggregation Usage
- Reverse Nested Aggregation Usage
- Sampler Aggregation Usage
- Significant Terms Aggregation Usage
- Significant Text Aggregation Usage
- Terms Aggregation Usage
- Variable Width Histogram Usage
- Pipeline Aggregations
- Average Bucket Aggregation Usage
- Bucket Script Aggregation Usage
- Bucket Selector Aggregation Usage
- Bucket Sort Aggregation Usage
- Cumulative Cardinality Aggregation Usage
- Cumulative Sum Aggregation Usage
- Derivative Aggregation Usage
- Extended Stats Bucket Aggregation Usage
- Max Bucket Aggregation Usage
- Min Bucket Aggregation Usage
- Moving Average Ewma Aggregation Usage
- Moving Average Holt Linear Aggregation Usage
- Moving Average Holt Winters Aggregation Usage
- Moving Average Linear Aggregation Usage
- Moving Average Simple Aggregation Usage
- Moving Function Aggregation Usage
- Moving Percentiles Aggregation Usage
- Normalize Aggregation Usage
- Percentiles Bucket Aggregation Usage
- Serial Differencing Aggregation Usage
- Stats Bucket Aggregation Usage
- Sum Bucket Aggregation Usage
- Matrix Aggregations
- Metric Aggregations
Working with certificates
editWorking with certificates
editIf you’ve enabled SSL on Elasticsearch with Elastic Stack Security features, or through a proxy in front of Elasticsearch, and the Certificate Authority (CA) that generated the certificate is trusted by the machine running the client code, there should be nothing for you to do to talk to the cluster over HTTPS with the client.
If you are using your own CA which is not trusted however, .NET won’t allow you to make HTTPS calls to that endpoint by default.
With .NET Framework, you can pre-empt this though a custom validation callback on the global static
ServicePointManager.ServerCertificateValidationCallback. Most examples you will find doing this this will simply return true from the
validation callback and merrily whistle off into the sunset. This is not advisable as it allows any HTTPS traffic through in the
current AppDomain without any validation. Here’s a concrete example:
Imagine you deploy a web application that talks to Elasticsearch over HTTPS using NEST, and also uses some third party SOAP/WSDL endpoint. By setting the following
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, errors) => true
validation will not be performed for HTTPS connections to both Elasticsearch and that external web service.
Validation configuration
editIt’s possible to also set a callback per service endpoint with .NET, and both Elasticsearch.NET and NEST expose this through
connection settings (ConnectionConfiguration with Elasticsearch.Net and ConnectionSettings with NEST). You can do
your own validation in that handler or use one of the baked in handlers that we ship with out of the box, on the static class
CertificateValidations.
The two most basic ones are AllowAll and DenyAll, which accept or deny all SSL traffic to our nodes, respectively. Here’s
a couple of examples.
Denying all certificate validation
editHere we set up ConnectionSettings with a validation callback that denies all certificate validation
[IntegrationOnly] public class DenyAllCertificatesCluster : SslAndKpiXPackCluster { protected override ConnectionSettings ConnectionSettings(ConnectionSettings s) => s .ServerCertificateValidationCallback((o, certificate, chain, errors) => false) .ServerCertificateValidationCallback(CertificateValidations.DenyAll); }
Allowing all certificate validation
editHere we set up ConnectionSettings with a validation callback that allows all certificate validation
public class AllowAllCertificatesCluster : SslAndKpiXPackCluster { protected override ConnectionSettings ConnectionSettings(ConnectionSettings s) => s .ServerCertificateValidationCallback((o, certificate, chain, errors) => true) .ServerCertificateValidationCallback(CertificateValidations.AllowAll); }
Allowing certificates from a Certificate Authority
editIf your client application has access to the public CA certificate locally, Elasticsearch.NET and NEST ship with some handy helpers that can assert that a certificate the server presents is one that came from the local CA.
If you use elasticsearch-certutil tool to generate SSL certificates, the generated node certificate
does not include the CA in the certificate chain, in order to cut down on SSL handshake size. In those case you can use
CertificateValidations.AuthorityIsRoot and pass it your local copy of the CA public key to assert that
the certificate the server presented was generated using it
[IntegrationOnly] public class CertgenCaCluster : SslAndKpiXPackCluster { public CertgenCaCluster() : base() { } public CertgenCaCluster(SslAndKpiClusterConfiguration configuration) : base(configuration) { } protected override ConnectionSettings ConnectionSettings(ConnectionSettings s) => s .ServerCertificateValidationCallback( CertificateValidations.AuthorityIsRoot(new X509Certificate(this.ClusterConfiguration.FileSystem.CaCertificate)) ); }
If your local copy does not match the server’s CA, the client will fail to connect
[IntegrationOnly] public class BadCertgenCaCluster : SslAndKpiXPackCluster { protected override ConnectionSettings ConnectionSettings(ConnectionSettings s) => s .ServerCertificateValidationCallback( CertificateValidations.AuthorityPartOfChain(new X509Certificate(this.ClusterConfiguration.FileSystem.UnusedCaCertificate)) ); }
If you go for a vendor generated SSL certificate, it’s common practice for the certificate to include the CA and any intermediary CAs
in the certificate chain. When using such a certificate, use CertificateValidations.AuthorityPartOfChain which validates that
the local CA certificate is part of the chain that was used to generate the servers key.
Applying a CA Fingerprint
editDuring development against a newly created v8 cluster, you may also configure the client to authenticate using the CA fingerprint logged by the
server at initial startup. The fingerprint can be set by calling the CertificateFingerprint method on a ConnectionSettings instance.
See Connecting to Elasticsearch v8.x using the v7.x client for further details.
On this page