I successfully setup HTTPS for Elasticsearch server. Now I can use curl like curl -u elastic:111111 --cacerts "Path/to/my/cert" https://localhost:9200. How can I setup to use curl without user authentication and cert?
Sorry for my bad English :(
Related
I am trying to install and setup Elasticsearch on a remote Machine running CenOS7 via this guide. Following the install and start instructions for RPM I entered the cURL command given on the guide to check its up and running: curl --cacert $ES_PATH_CONF/certs/http_ca.crt -u elastic https://localhost:9200
I was met with the following message:
curl: (77) Problem with the SSL CA cert (path? access rights?)
I tried to go to the domain with the following command:
curl https://localhost:9200/
And was met with this:
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
So I tried the previous command once adding a '-k' but was met with this error:
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}
I was able to complete the guide on my MacBook but have almost no experience working with remote machines or in CentOS 7. How do I successfully cURL the cluster information?
I am using Elastic 7.9.2 version and wanted to use security.
so I ran :
bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""
and then added
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p1
in config/elasticsearch.yaml
Now when I am running the ES by
bin/elasticsearch
getting below error :
"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials
for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-
8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST
request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-
8\""}},"status":401}root#ip-localhost:/var/log/elasticsearch
Can anyone please help!
Just pass authentication credential with url like below
curl -X GET "http://localhost:9200" -u elastic:pass123
I had security already enabled and user authentication working. Kibana loaded fine.
I have a 3 node cluster and stopped elasticsearch service on each node so I could add transport ssl.
After enabling xpack.security.transport.ssl.enabled and keystore and truststore settings, I got the same ""missing authentication credentials for REST request" error in Kibana. Turns out the error was because I only had one node running and needed a minimum of two. After enabling transport ssl on another node and starting it, kibana worked again.
If you enable security for your cluster you & still got some error with AUTH yours clients, documentation wrote, what you need enable ssl for client optional OR required. Please, read the original topic: https://discuss.elastic.co/t/missing-authentication-for-rest-request/154807/13
You need to pass the credentials with your request with -u username:password
To add the credentials to curl, you need to know them. The root user is elastic, the passwords can be reset using
bin/elasticsearch-setup-passwords auto
Then, you can use
curl -X GET "http://localhost:9200" -u elastic:password_from_console
as written above (go upvote).
GET https://localhost:9200
Authorization: Basic elastic:{your user password}
Trying to query Watson discovery news with the following curl command and get error 403 forbidden.
curl -u "apikey":"{apikey}" "https://gateway.watsonplatform.net/discovery/api/v1/environments/system/collections/news-en/query?version=2019-04-30&query=relations.action.lemmatized:acquire&count=3&filter=entities.text:IBM&return=text"
I found documents on the IBM site to create and query your own environments but not help with how to access the news.
It turned out my url was incorrect. I got this to work.
curl -u "apikey":"{apikey}" "https://api.eu-gb.discovery.watson.cloud.ibm.com/instances/96a866f9-11bb-4b55-af26-a0f826807fec/v1/environments/system/collections/news-en/query?version=2019-04-30&query=enriched_title.semantic_roles:(action.normalized:acquire,object.entities:(type::Company))&count=3"
Your curl looks correct, which may indicate that your apikey is incorrect. Try running the curl command to list environments:
curl -u "apikey":"{apikey}" "https://gateway.watsonplatform.net/discovery/api/v1/environments?version=2019-04-30"
that should verify that you have the correct apikey.
I have 2 Linux Servers (with LAMP):
Web Server with SSL (https://www.example.com)
Admin Server (needs to connect to Web Server, via https)
When i connect from Admin Server (to Web Server) via curl command. It is refusing. Then when i use curl with --caeert option, its going through. Like this:
# curl --cacert CAchain.crt -I https://www.example.com
HTTP/1.1 200 OK
..
I'm getting 200 OK only because of --cacert CAchain.crt.
Then obviously i need the pure/basic curl command without defining the --cacert, to be working. Like:
# curl -I https://www.example.com
HTTP/1.1 200 OK
..
So that my Admin Application will for sure be able to connect to it (via https).
But now, when i connect to https://www.example.com from Admin Server (via its Application), it is bouncing back. Not able to reach, with SSL.
How do i make my Linux (RHEL) to install the client's CA-CERT inside, in order automatically AVOID defining the cert file. So that any communications to "https://www.example.com" via CURL or Web Browser (from Admin), can just then successfully go through. (Is it something like, we make "SSH without Keys" logic? But how, please?)
You need to add the CA cert to somewhere that curl can use it - it looks like you're just keeping it in your local directory (which isn't where curl looks for it - typically in some /etc/pki/ssl/ca-bundle.crt-type location). There's a handful of ways to do this. I don't have much experience doing it in RHEL (or CentOS), but have done it for Debian.
This ServerFault Post might help.
Likewise, This Post might help you install/import the CA cert properly.
I have an access to a preconfigured Windows XP 32-bit workstation.
It's under firewall and to get outside it uses http proxy server.
To get proxy settings I need host, port, username and password.
http: // username : password # server : port
I'm able to find the proxy url and port (from PAC - automatic config file),
but I don't know how to get username/password. Is there a way to read it somehow? At least username? I might get the admin rights.
Do you know any tool that can help?
I only found these MS docs about some methods to get proxy config connection, but I don't know how to determinate what's the provided credentials:
WinHttpGetIEProxyConfigForCurrentUser function
WINHTTP_CURRENT_USER_IE_PROXY_CONFIG structure
WinHttpGetProxyForUrl function
I've also found this lib, but it's rather for parsing PAC:
http://code.google.com/p/pacparser/
In windows you cannot get password.
To get connect throw a proxy you have to use SSPI, check libcurl, you can get a connected socket throw proxy, build it with enable-sspi and openssl.
Iterating on Fernando Sanchez's answer and Robert's comment, you need to authenticate via SSPI. In my case I've connected using NTLM using this link
With curl using ntlm :
curl.exe --proxy <proxy_name>:<proxy_port> --proxy-ntlm -U : https://www.google.com
Also to partially answer your question the -U : means from curl man page :
If you use a Windows SSPI-enabled curl binary and do either Negotiate
or NTLM authentication then you can tell curl to select the user name
and password from your environment by specifying a single colon with
this option: "-U :".
You can get the proxy name and port from the windows registry (regedit). Quote from Robert's comment:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
It can be present either in a manual way using REG_SZ ProxyServer or using an autoconfiguration script using REG_SZ AutoConfigURL = https://<configuration_url>
If the curl command above fails with Failure when receiving data from the peer maybe you have a curl release without NTLM, SSPI or OpenSSL. Try with the latest curl release