Route53 for AWS Elastic Search Domain gives certificate error

Question

I have create a AWS elastic search domain in Virginia and got a Endpoint url.

Now I wanted to configure the Route53 behavior around it, so that a caller can use the same url, even though there is some change in elastic search or in case of a disaster recovery.

So,

Virginia Route 53 -- 1 Points to -- Virgina Elastic Search Domain URL Oregon Route 53 -- 2 Points to -- Oregon Elastic Search Domain URL Main Route 53 -- 3 Points to -- Route 53 1 or 2

I have already create these and also created and uploaded SSL certificate with correct SAN entries. But when I execute,

curl https://mainroute53/health
curl https://virginiaroute53/health
curl https://oregonroute53/health

I am getting this error,

curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

But when I am calling the Elastic Search URL directly its working. So I understand this is a issue with the way I am using the certificate. Any help appreciated.

Currently, AWS doesn't have a straightforward solution for this. This is one of the reasons people prefer manual EC2 ElasticSearch cluster over AWS ES — Lakshitha Herath, Jan 08 '18 at 20:01
Is there any way I can still use a route 53 and connect to elastic search endpoint? I want to call this route 53 from some java backend api. — rockyPeoplesChamp, Jan 09 '18 at 04:27
What you might want to do is create a reverse proxy around the ES endpoint. Terminate the SSL certificate at an nginx server, and forward the requests via HTTP in a private subnet. — Zachary Yates, Jul 20 '20 at 17:53

score 8 · Accepted Answer · answered Jan 08 '18 at 21:39

8

Your Elastic Search endpoint will always return the Elastic Search SSL certificate.

So when you create a Route 53 "alias" for it, you may be connecting to it via your custom DNS entry, but Elastic Search will still use the Elastic Search SSL certificate.

Since the DNS endpoint you're using does not match the SSL certificate, you get that error.

You could use the --insecure curl flag to have it not check the SSL certificate, however, there are risks of doing that.

answered Jan 08 '18 at 21:39

Matt Houser

33,983
6
70
88

Is there any way I can still use a route 53 and connect to elastic search endpoint? I want to call the route 53 from some java backend api. – rockyPeoplesChamp Jan 09 '18 at 03:54
1

Elastic Search does not allow you to replace the SSL certificate. So the only way to use Route 53 is to get your code to not validate the SSL certificate (not recommended). – Matt Houser Jan 09 '18 at 14:00
Is there any chance to get this resolved by installing the AWS Root certificates. I found this https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-troubleshooting.html But not sure if it can resolve my problem. – rockyPeoplesChamp Jan 09 '18 at 23:37
1

No that won't solve your problem. All that helps do is validate the Elastic Search cert. Your problem is that validating the cert is working against you. – Matt Houser Jan 09 '18 at 23:43
1

You are trying to work around a security "feature". There is no legitimate solution for what you are trying to achieve. – Matt Houser Jan 09 '18 at 23:46
Thanks for the information. All I am trying to achieve is a better disaster recovery system. That is why I wanted to configure a route53 around the elastic search. If in case one region goes down and elastic search also goes down with it then I can easily spin up another es domain. There will not be any change required in the backend api and it can still call the same route53 url. – rockyPeoplesChamp Jan 10 '18 at 06:07
Totally understand the reason. AWS just hasn't made it possible. – Matt Houser Jan 10 '18 at 13:27

score 3 · Answer 2 · answered Apr 16 '19 at 00:59

You can probably work around this by setting up a proxy server in front of the Elasticsearch domain, although it's kind of silly since there appears to also be an ELB inside the Elasticsearch domain. Ah well.

The domain Amazon ES creates for you includes the nodes in the Elasticsearch cluster and resources from several AWS services. When Amazon ES creates your domain, it launches instances into a service-controlled VPC. Those instances are fronted by Elastic Load Balancing (ELB), and the endpoint for the load balancer is published through Route 53. Requests to the domain pass through the ELB load balancer, which routes them to the domain’s EC2 instances.

https://aws.amazon.com/blogs/database/set-access-control-for-amazon-elasticsearch-service/

score 2 · Answer 3 · answered May 11 '20 at 17:31

One way you can access Elasticsearch using your custom domain name is to use an API Gateway as an HTPP proxy. But then you have to deal with the authentication part since the Cognito cookies for ES will be pointing to the original domain (*.es.amazonaws.com).

In my experience this is doable and you should be able to use API Gateway (plus Custom Domain Names and Route 53) to achieve what you want (having a custom domain name over ES). It's just that it requires some Cognito knowledge and most likely, some coding (to handle the cookie problem).

This can potentially be very expensive – GChamon May 15 '20 at 09:26 — GChamon, May 15 '20 at 09:26

user3041539 · Answer 4 · 2019-01-10T13:40:04.957

0

You can use the http endpoint instead of the https one

i.e

curl **http**://mainroute53/health

This works around the fact that AWS does not allow providing custom domain certificate in its managed Elastic service

edited Jan 10 '19 at 13:40

answered Jan 09 '19 at 14:52

user3041539

607
7
17

score 0 · Answer 5 · answered Oct 28 '20 at 10:05

We had the same issue, wanted to be redirected to Kibana with a more friendlier DNS name and we used the solution with S3 bucket and the redirection as described here.

The steps:

Create a S3 bucket with any name.
In the bucket properties, enable “Static Website hosting”.
In the Static WebSite hosting properties, select the option to “Redirect Requests”.
In the target domain set the Kibana URL that is given from your elasticsearch domain: i.e. https://vpc-es-randomstring.us-east-1.es.amazonaws.com/_plugin/kibana/
Set Protocol to https
Then follow the steps from Step 5 on the guide above

just tested - not working :( part with just s3 works great - redirecting to kibana endpoint but when I try adding R53 to the mix in ends up wit 404 bucket not found for HTTP and timeout for HTTPS version of my-logs.my-domain.com — lukpep, Oct 30 '20 at 14:56

Route53 for AWS Elastic Search Domain gives certificate error

5 Answers5

i.e

Linked