Working with certificatesedit

If you’ve enabled SSL on Elasticsearch with X-Pack or through a proxy in front of Elasticsearch, and the Certificate Authority (CA) that generated the certificate is trusted by the machine running the client code, there should be nothing you’ll have to do to talk to the cluster over HTTPS with the client.

If you are using your own CA which is not trusted however, .NET won’t allow you to make HTTPS calls to that endpoint by default. With .NET, you can pre-empt this though a custom validation callback on the global static ServicePointManager.ServerCertificateValidationCallback. Most examples you will find doing this this will simply return true from the validation callback and merrily whistle off into the sunset. This is not advisable as it allows any HTTPS traffic through in the current AppDomain without any validation. Here’s a concrete example:

Imagine you deploy a web application that talks to Elasticsearch over HTTPS through NEST, and also uses some third party SOAP/WSDL endpoint; by setting

ServicePointManager.ServerCertificateValidationCallback +=
(sender, cert, chain, errors) => true

validation will not be performed for HTTPS connections to both Elasticsearch and that external web service.

Validation configurationedit

It’s possible to also set a callback per service endpoint with .NET, and both Elasticsearch.NET and NEST expose this through connection settings (ConnectionConfiguration with Elasticsearch.Net and ConnectionSettings with NEST). You can do your own validation in that handler or use one of the baked in handlers that we ship with out of the box, on the static class CertificateValidations.

The two most basic ones are AllowAll and DenyAll, which accept or deny all SSL traffic to our nodes, respectively. Here’s a couple of examples.

Denying all certificate validationedit

Here we set up ConnectionSettings with a validation callback that denies all certificate validation

public class DenyAllCertificatesCluster : SslAndKpiXPackCluster
{
    protected override ConnectionSettings ConnectionSettings(ConnectionSettings s) => s
        .ServerCertificateValidationCallback((o, certificate, chain, errors) => false)
        .ServerCertificateValidationCallback(CertificateValidations.DenyAll); 
}

synonymous with the previous lambda expression

Or per request on RequestConfiguration which will take precedence over the ones defined on ConnectionConfiguration

Object Initializer syntax exampleedit

new RootNodeInfoRequest
{
    RequestConfiguration = new RequestConfiguration
    {
        ClientCertificates = new X509Certificate2Collection { new X509Certificate2(this.Certificate) }
    }
}

Fluent DSL exampleedit

s => s
.RequestConfiguration(r => r
        .ClientCertificate(this.Certificate)
)