Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CA certificates generated using elasticsearch-certutil fail when used in Python3.13 #2716

Closed
redbaron4 opened this issue Nov 29, 2024 · 2 comments

Comments

@redbaron4
Copy link

redbaron4 commented Nov 29, 2024

I am not sure if this is a client or elasticsearch bug or caused by some mistake on my part.

We have a test setup for elasticsearch. The setup runs on Elasticsearch-8.6. For security setup, we generate our own CA certificate using elasticsearch-certutil ca --pem command and then use that CA to generate other elasticsearch certificates.

We use elasticsearch-py client to run various tasks on this cluster. The client is configured with ca_certs=/path/to/our/ca.crt. If we use Python3.12, the client works correctly.

However, when we use Python-3.13 (on the same system), the requests fail with

elastic_transport.TlsError: TLS error caused by: TlsError(TLS error caused by: SSLError([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: CA cert does not include key usage extension (_ssl.c:1020)))

elasticsearch-py version : 8.16.0 (Cluster is 8.6)
OS: Rocky9.5

Requests to cluster made with curl with --cacert pointing to same cert succeed.

@pquentin
Copy link
Member

Hello, yes that's correct. I noticed this when adding Python 3.13 support to the client, and then meant to follow-up with an Elasticsearch issue but never got to it, sorry. That's now done: elastic/elasticsearch#117769.

As a workaround, you can disable the new X509_VERIFY_STRICT flag introduced by Python 3.13:

import ssl
from elasticsearch import Elasticsearch

ctx = ssl.create_default_context()
ctx.load_verify_locations("http_ca.crt")
ctx.verify_flags &= ~ssl.VERIFY_X509_STRICT

client = Elasticsearch(
    "https://localhost:9200",
    ssl_context=ctx,  # replaces ca_certs="http_ca.crt",
    api_key="...",
)
print(client.info())

@pquentin
Copy link
Member

pquentin commented Dec 5, 2024

Closing as there's nothing actionable left in the Python client. Feel free to upvote the Elasticsearch issue at elastic/elasticsearch#117769 if this affects you. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants