Adding root certificate to KNIME

How can we add a root certificate (.pem) to KNIME (on Windows), so that it can connect to servers requiring this?

What I tried so far without success:

1. Adding the certificate to Windows using mmc.exe - I am assuming the KNIME java vm does not “see” this?

2. Adding the .pem cert file in “C:\Program Files\KNIME\plugins\org.knime.binary.jre.win32.x86_64_1.8.0.252-b09\jre\bin”
   using:
   keytool -import -alias our_root_cert -keystore cacerts -file our-root-cert.pem

The result was “Certificate was added to keystore”, but still no joy.

I am trying to connect to an Elasticsearch server by the way, using the Elasticsearch Connector, that just says “Error connecting to Elasticsearch. Check your configuration”, and the connected Elasticsearch Console: “General SSLEngine problem”

Hi kixxalot,

maybe @danielesser can further help here. In the meantime, probably the “Accept all certificates” option in the Connector would help, to disable certificate checking completely?

–Philipp

Of course I already checked the “Accept all SSL certificates” option, but to no avail.

Also I am absolutely certain that the protocol (https), host, port and credentials are correct. I can connect to the Elastic server in a browser or with a Python script with these settings.

I seem to have solved this. I referenced the incorrect keystore in step 2 above.

This worked:

keytool -import -alias our_root_cert -keystore “C:\Program Files\KNIME\plugins\org.knime.binary.jre.win32.x86_64_1.8.0.252-b09\jre\lib\security\cacerts” -file our-root-cert.pem

There is also this solution - editing knime.ini to tell Eclipse to use the Windows certficates, although I did not test it myself:

For the records: What error did you get? Bonus points for providing the full stack trace.

After clicking “test connection” in Elasticsearch Connector, it says:

Error connecting to Elasticsearch. Check your configuration

Note that despite this, the Elasticsearch Connector node can still be executed, and it does not display an error in the console.

Thanks, probably this helps @danielesser to further improve this

Whoops. Thanks for the feedback. I’ll have a look!

@kixxalot Could you please enable DEBUG logging in KNIME (Preferences → KNIME → KNIME GUI → Console View Log Level: DEBUG) and let me know what the Console says when trying to do the connection test?

The connection test tries to query the /_cluster/health endpoint of ES and will time out after 3s. The error stack is then printed to the console in DEBUG mode.

Best regards,
Daniel

@danielesser : to reproduce this for you, I first removed the certificate from the JRE keystore, and then did the connection test. Debug output to console (host & port anonymised):

DEBUG NodeContainerEditPart Elasticsearch Connector 0:4 (EXECUTED)
DEBUG Elasticsearch Connector 0:4 Create Elasticsearch client: protocol=https, host=xxx.xxx.xxx, port=xxxx, acceptAllCerts=true
DEBUG Elasticsearch Connector 0:4 Perform API request: method=GET, endpoint=/_cluster/health?timeout=3s, body=null
DEBUG Elasticsearch Connector 0:4 Close Elasticsearch client
DEBUG Elasticsearch Connector 0:4 Connection test failed

Thanks @kixxalot. That’s strange. Did I get it right, the connectivity check failed for you no matter if you imported the certificates or not (with option Accept all SSL certificates enabled)?

In parallel I reworked the connectivity check a bit with the lastest release and also increased the timeout. Would be great to hear if that somehow solved the issue you are experiencing.

Best regards,
Daniel

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.