How can we add a root certificate (.pem) to KNIME (on Windows), so that it can connect to servers requiring this?
What I tried so far without success:
Adding the certificate to Windows using mmc.exe - I am assuming the KNIME java vm does not “see” this?
Adding the .pem cert file in “C:\Program Files\KNIME\plugins\org.knime.binary.jre.win32.x86_64_1.8.0.252-b09\jre\bin”
using:
keytool -import -alias our_root_cert -keystore cacerts -file our-root-cert.pem
The result was “Certificate was added to keystore”, but still no joy.
I am trying to connect to an Elasticsearch server by the way, using the Elasticsearch Connector, that just says “Error connecting to Elasticsearch. Check your configuration”, and the connected Elasticsearch Console: “General SSLEngine problem”
maybe @danielesser can further help here. In the meantime, probably the “Accept all certificates” option in the Connector would help, to disable certificate checking completely?
Of course I already checked the “Accept all SSL certificates” option, but to no avail.
Also I am absolutely certain that the protocol (https), host, port and credentials are correct. I can connect to the Elastic server in a browser or with a Python script with these settings.
@kixxalot Could you please enable DEBUG logging in KNIME (Preferences → KNIME → KNIME GUI → Console View Log Level: DEBUG) and let me know what the Console says when trying to do the connection test?
The connection test tries to query the /_cluster/health endpoint of ES and will time out after 3s. The error stack is then printed to the console in DEBUG mode.
@danielesser : to reproduce this for you, I first removed the certificate from the JRE keystore, and then did the connection test. Debug output to console (host & port anonymised):
Thanks @kixxalot. That’s strange. Did I get it right, the connectivity check failed for you no matter if you imported the certificates or not (with option Accept all SSL certificates enabled)?
In parallel I reworked the connectivity check a bit with the lastest release and also increased the timeout. Would be great to hear if that somehow solved the issue you are experiencing.