问题
I'm trying to connect to an elasticsearch instance which is behind a ssh tunnel. Domain of the elasticsearch instance is *.ap-south-1.es.amazonaws.com while locally on the tunnel, I connect via localhost:9201.
Here is the code I'm using to connect to elasticsearch
RestHighLevelClient(RestClient.builder(HttpHost("localhost", 9201, "https")))
I'm getting the following error
javax.net.ssl.SSLPeerUnverifiedException: Host name 'localhost' does not match the certificate subject provided by the peer (CN=*.ap-south-1.es.amazonaws.com)
I got this error when I was working with PHP-Elasticsearch and I fixed it using
$esClient->setSSLVerification(false);
I was hoping to find a similar method for Java RestClient.
回答1:
For this you have to disable a setting which verifies the hostname with the name you provided. This is an error of HTTPClient in apache and you have to virtualize the hostname as verified in setSSLHostnameVerifier method like this.
Although this code is in Kotlin but one can write java alternative easily
val builder = RestClient.builder(host).setHttpClientConfigCallback { httpAsyncClientBuilder ->
httpAsyncClientBuilder.setSSLHostnameVerifier { _, _ -> true }
}
This will always override your setting for verifying hostname as true
回答2:
Since the hostname in your certificate is not localhost you will have this issue, so to solve it you need to disable SSL hostname verification, by doing the following you will return true always and this will skip verification.
RestClientBuilder restClientBuilder = RestClient.builder(HttpHost);
restClientBuilder.setHttpClientConfigCallback(httpAsyncClientBuilder ->
httpAsyncClientBuilder.setSSLHostnameVerifier((s, sslSession) -> true));
new RestHighLevelClient(restClientBuilder);
来源:https://stackoverflow.com/questions/57057074/how-to-disable-ssl-verification-for-elasticsearch-restclient-v6-7-0-in-java