Elasticsearch hosts + ssl issue on Hibernate Search 6

JantiHakooz · July 29, 2020, 11:26am

Hello,

I am using Hibernate Search 6 beta 8 with my Spring Boot application. I’ve included both dependencies of Hibernate ORM mapper and hibernate-search-elasticsearch into pom.xml

org.hibernate.search hibernate-search-mapper-orm 6.0.0.Beta8 org.hibernate.search hibernate-search-backend-elasticsearch 6.0.0.Beta8

My issue is when using https protocol and I set the hosts property of the elasticsearch backend to something like “test.elk.local:9200”

I generated the certificate/key using Elastic’s certutil tool for common name ".elk.local", and added a bunch of SAN entries to it:
DNS Name=elk
DNS Name=.elk.local
DNS Name=elk.local
DNS Name=test.elk.local
DNS Name=test2.elk.local
IP Address=127.0.0.1

and then imported the certificate in the java keystore. It works if I use localhost/elk, but starts complaining if I use any of the names with a dot:

Host name ‘test.elk.local’ does not match the certificate subject provided by the peer (CN=*.elk.local, OU=IT, DC=elk, DC=local)

I figured it is something with the Apache Http library being used when hibernate search builds the elastic client. Specifically, the DefaultHostnameVerifier class where it tries to match the domain with a public list of domain from ICANN:

if (publicSuffixMatcher != null && host.contains(".")) {
if (!matchDomainRoot(host, publicSuffixMatcher.getDomainRoot(identity, domainType))) {
return false;
}
}

I am trying to override this behavior by defining a bean in Spring. Is there a better/easier way to do this? Am I missing something in the documentation?

yrodiere · July 29, 2020, 12:48pm

Hello,

This behavior is way lower-level than what Hibernate Search handles. It’s implemented in the Apache HTTP client, used by the Elasticsearch REST client, which Hibernate Search uses. So I’m afraid you’re not going to find experts here.

However, that also means other people that don’t even use Hibernate Search, but only use the Apache HTTP client, have also encountered your problem. I’d suggest you look in that direction?

As to Hibernate Search, if you need to configure the underlying Apache HTTP client in details, you can refer to this post. Be aware that it’s an SPI, with fewer compatibility guarantees than API and it may change incompatibly in future releases.

JantiHakooz · July 29, 2020, 1:06pm

Yes, I thought so. I guess I was hoping for an easier way to customize the hostnameVerifier used by the client, as that is supported by the Elasticsearch client.

Thanks for the example! I’ll give it a go.

Topic		Replies	Views
Hiberate Elasticsearch use SSL Hibernate Search	1	469	September 20, 2021
Connect Hibernate Search 6.1.5.Final + Elasticsearch 8.2.X using Token based authentication Hibernate Search	1	475	June 16, 2022
Configuring ElasticSearch host url with context path Hibernate Search	11	3112	March 20, 2018
Mass indexer with elasticseaarch backend and multitenancy configuration Hibernate Search	4	991	March 9, 2020
Hibernate search migration - elastic search backend error on startup Hibernate Search	11	1009	August 5, 2021

Elasticsearch hosts + ssl issue on Hibernate Search 6

Related topics