AWS Elastic Search Domain 的 Route53 给出证书错误

Question

I have create a AWS elastic search domain in Virginia and got a Endpoint url.

Now I wanted to configure the Route53 behavior around it, so that a caller can use the same url, even though there is some change in elastic search or in case of a disaster recovery.

So,

Virginia Route 53 -- 1 Points to -- Virgina Elastic Search Domain URL Oregon Route 53 -- 2 Points to -- Oregon Elastic Search Domain URL Main Route 53 -- 3 Points to -- Route 53 1 or 2

I have already create these and also created and uploaded SSL certificate with correct SAN entries. But when I execute,

curl https://mainroute53/health
curl https://virginiaroute53/health
curl https://oregonroute53/health

I am getting this error,

curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

But when I am calling the Elastic Search URL directly its working. So I understand this is a issue with the way I am using the certificate. Any help appreciated.

Answer 1

Your Elastic Search endpoint will always return the Elastic Search SSL certificate.

So when you create a Route 53 "alias" for it, you may be connecting to it via your custom DNS entry, but Elastic Search will still use the Elastic Search SSL certificate.

Since the DNS endpoint you're using does not match the SSL certificate, you get that error.

You could use the --insecure curl flag to have it not check the SSL certificate, however, there are risks of doing that.

Answer 2

You can probably work around this by setting up a proxy server in front of the Elasticsearch domain, although it's kind of silly since there appears to also be an ELB inside the Elasticsearch domain. Ah well.

The domain Amazon ES creates for you includes the nodes in the Elasticsearch cluster and resources from several AWS services. When Amazon ES creates your domain, it launches instances into a service-controlled VPC. Those instances are fronted by Elastic Load Balancing (ELB), and the endpoint for the load balancer is published through Route 53. Requests to the domain pass through the ELB load balancer, which routes them to the domain's EC2 instances.

https://aws.amazon.com/blogs/database/set-access-control-for-amazon-elasticsearch-service/

Answer 3

One way you can access Elasticsearch using your custom domain name is to use an API Gateway as an HTPP proxy. But then you have to deal with the authentication part since the Cognito cookies for ES will be pointing to the original domain ( *.es.amazonaws.com ).

In my experience this is doable and you should be able to use API Gateway (plus Custom Domain Names and Route 53) to achieve what you want (having a custom domain name over ES). It's just that it requires some Cognito knowledge and most likely, some coding (to handle the cookie problem).

Answer 4

You can use the http endpoint instead of the https one

ie

curl **http**://mainroute53/health

This works around the fact that AWS does not allow providing custom domain certificate in its managed Elastic service

Answer 5

We had the same issue, wanted to be redirected to Kibana with a more friendlier DNS name and we used the solution with S3 bucket and the redirection as described here .

The steps:

• Create a S3 bucket with any name.
• In the bucket properties, enable “Static Website hosting”.
• In the Static WebSite hosting properties, select the option to “Redirect Requests”.
• In the target domain set the Kibana URL that is given from your elasticsearch domain: ie https://vpc-es-randomstring.us-east-1.es.amazonaws.com/_plugin/kibana/
• Set Protocol to https
• Then follow the steps from Step 5 on the guide above