Login/Register
Route53 for AWS Elastic Search Domain gives certificate error
Asked Answered
Solved amazon-web-servicesssl-certificateaws-elasticsearch
R

5

13

I have create a AWS elastic search domain in Virginia and got a Endpoint url.

enter image description here

Now I wanted to configure the Route53 behavior around it, so that a caller can use the same url, even though there is some change in elastic search or in case of a disaster recovery.

So,

Virginia Route 53 -- 1 Points to -- Virgina Elastic Search Domain URL Oregon Route 53 -- 2 Points to -- Oregon Elastic Search Domain URL Main Route 53 -- 3 Points to -- Route 53 1 or 2

I have already create these and also created and uploaded SSL certificate with correct SAN entries. But when I execute,

curl https://mainroute53/health
curl https://virginiaroute53/health
curl https://oregonroute53/health

I am getting this error,

curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

But when I am calling the Elastic Search URL directly its working. So I understand this is a issue with the way I am using the certificate. Any help appreciated.

Riggins answered 8/1, 2018 at 19:27 Comment(3)
Currently, AWS doesn't have a straightforward solution for this. This is one of the reasons people prefer manual EC2 ElasticSearch cluster over AWS ESTeel
Is there any way I can still use a route 53 and connect to elastic search endpoint? I want to call this route 53 from some java backend api.Riggins
What you might want to do is create a reverse proxy around the ES endpoint. Terminate the SSL certificate at an nginx server, and forward the requests via HTTP in a private subnet.Admix
S
8

Your Elastic Search endpoint will always return the Elastic Search SSL certificate.

So when you create a Route 53 "alias" for it, you may be connecting to it via your custom DNS entry, but Elastic Search will still use the Elastic Search SSL certificate.

Since the DNS endpoint you're using does not match the SSL certificate, you get that error.

You could use the --insecure curl flag to have it not check the SSL certificate, however, there are risks of doing that.

Springtail answered 8/1, 2018 at 21:39 Comment(7)
Is there any way I can still use a route 53 and connect to elastic search endpoint? I want to call the route 53 from some java backend api.Riggins
Elastic Search does not allow you to replace the SSL certificate. So the only way to use Route 53 is to get your code to not validate the SSL certificate (not recommended).Springtail
Is there any chance to get this resolved by installing the AWS Root certificates. I found this docs.aws.amazon.com/elasticsearch-service/latest/developerguide/… But not sure if it can resolve my problem.Riggins
No that won't solve your problem. All that helps do is validate the Elastic Search cert. Your problem is that validating the cert is working against you.Springtail
You are trying to work around a security "feature". There is no legitimate solution for what you are trying to achieve.Springtail
Thanks for the information. All I am trying to achieve is a better disaster recovery system. That is why I wanted to configure a route53 around the elastic search. If in case one region goes down and elastic search also goes down with it then I can easily spin up another es domain. There will not be any change required in the backend api and it can still call the same route53 url.Riggins
Totally understand the reason. AWS just hasn't made it possible.Springtail
C
3

You can probably work around this by setting up a proxy server in front of the Elasticsearch domain, although it's kind of silly since there appears to also be an ELB inside the Elasticsearch domain. Ah well.

The domain Amazon ES creates for you includes the nodes in the Elasticsearch cluster and resources from several AWS services. When Amazon ES creates your domain, it launches instances into a service-controlled VPC. Those instances are fronted by Elastic Load Balancing (ELB), and the endpoint for the load balancer is published through Route 53. Requests to the domain pass through the ELB load balancer, which routes them to the domain’s EC2 instances.

https://aws.amazon.com/blogs/database/set-access-control-for-amazon-elasticsearch-service/

Cowbell answered 16/4, 2019 at 0:59 Comment(0)
V
2

One way you can access Elasticsearch using your custom domain name is to use an API Gateway as an HTPP proxy. But then you have to deal with the authentication part since the Cognito cookies for ES will be pointing to the original domain (*.es.amazonaws.com).

In my experience this is doable and you should be able to use API Gateway (plus Custom Domain Names and Route 53) to achieve what you want (having a custom domain name over ES). It's just that it requires some Cognito knowledge and most likely, some coding (to handle the cookie problem).

Vanesavanessa answered 11/5, 2020 at 17:31 Comment(1)
This can potentially be very expensiveLeodora
T
0

You can use the http endpoint instead of the https one

i.e

curl **http**://mainroute53/health

This works around the fact that AWS does not allow providing custom domain certificate in its managed Elastic service

Turbine answered 9/1, 2019 at 14:52 Comment(0)
U
0

We had the same issue, wanted to be redirected to Kibana with a more friendlier DNS name and we used the solution with S3 bucket and the redirection as described here.

The steps:

  • Create a S3 bucket with any name.
  • In the bucket properties, enable “Static Website hosting”.
  • In the Static WebSite hosting properties, select the option to “Redirect Requests”.
  • In the target domain set the Kibana URL that is given from your elasticsearch domain: i.e. https://vpc-es-randomstring.us-east-1.es.amazonaws.com/_plugin/kibana/
  • Set Protocol to https
  • Then follow the steps from Step 5 on the guide above
Unaccustomed answered 28/10, 2020 at 10:5 Comment(1)
just tested - not working :( part with just s3 works great - redirecting to kibana endpoint but when I try adding R53 to the mix in ends up wit 404 bucket not found for HTTP and timeout for HTTPS version of my-logs.my-domain.comEurypterid

© 2022 - 2024 — McMap. All rights reserved.