Elasticsearch hosts + ssl issue on Hibernate Search 6


I am using Hibernate Search 6 beta 8 with my Spring Boot application. I’ve included both dependencies of Hibernate ORM mapper and hibernate-search-elasticsearch into pom.xml

org.hibernate.search hibernate-search-mapper-orm 6.0.0.Beta8 org.hibernate.search hibernate-search-backend-elasticsearch 6.0.0.Beta8

My issue is when using https protocol and I set the hosts property of the elasticsearch backend to something like “test.elk.local:9200”

I generated the certificate/key using Elastic’s certutil tool for common name ".elk.local", and added a bunch of SAN entries to it:
DNS Name=elk
DNS Name=
DNS Name=elk.local
DNS Name=test.elk.local
DNS Name=test2.elk.local
IP Address=

and then imported the certificate in the java keystore. It works if I use localhost/elk, but starts complaining if I use any of the names with a dot:

Host name ‘test.elk.local’ does not match the certificate subject provided by the peer (CN=*.elk.local, OU=IT, DC=elk, DC=local)

I figured it is something with the Apache Http library being used when hibernate search builds the elastic client. Specifically, the DefaultHostnameVerifier class where it tries to match the domain with a public list of domain from ICANN:

if (publicSuffixMatcher != null && host.contains(".")) {
if (!matchDomainRoot(host, publicSuffixMatcher.getDomainRoot(identity, domainType))) {
return false;

I am trying to override this behavior by defining a bean in Spring. Is there a better/easier way to do this? Am I missing something in the documentation?


This behavior is way lower-level than what Hibernate Search handles. It’s implemented in the Apache HTTP client, used by the Elasticsearch REST client, which Hibernate Search uses. So I’m afraid you’re not going to find experts here.

However, that also means other people that don’t even use Hibernate Search, but only use the Apache HTTP client, have also encountered your problem. I’d suggest you look in that direction?

As to Hibernate Search, if you need to configure the underlying Apache HTTP client in details, you can refer to this post. Be aware that it’s an SPI, with fewer compatibility guarantees than API and it may change incompatibly in future releases.

Yes, I thought so. I guess I was hoping for an easier way to customize the hostnameVerifier used by the client, as that is supported by the Elasticsearch client.

Thanks for the example! I’ll give it a go.