Adding root certificate to KNIME

How can we add a root certificate (.pem) to KNIME (on Windows), so that it can connect to servers requiring this?

What I tried so far without success:

  1. Adding the certificate to Windows using mmc.exe - I am assuming the KNIME java vm does not “see” this?

  2. Adding the .pem cert file in “C:\Program Files\KNIME\plugins\org.knime.binary.jre.win32.x86_64_1.8.0.252-b09\jre\bin”
    using:
    keytool -import -alias our_root_cert -keystore cacerts -file our-root-cert.pem

The result was “Certificate was added to keystore”, but still no joy.

I am trying to connect to an Elasticsearch server by the way, using the Elasticsearch Connector, that just says “Error connecting to Elasticsearch. Check your configuration”, and the connected Elasticsearch Console: “General SSLEngine problem”

Hi kixxalot,

maybe @danielesser can further help here. In the meantime, probably the “Accept all certificates” option in the Connector would help, to disable certificate checking completely?

–Philipp

1 Like

Of course I already checked the “Accept all SSL certificates” option, but to no avail.

Also I am absolutely certain that the protocol (https), host, port and credentials are correct. I can connect to the Elastic server in a browser or with a Python script with these settings.

I seem to have solved this. I referenced the incorrect keystore in step 2 above.

This worked:

keytool -import -alias our_root_cert -keystore “C:\Program Files\KNIME\plugins\org.knime.binary.jre.win32.x86_64_1.8.0.252-b09\jre\lib\security\cacerts” -file our-root-cert.pem

There is also this solution - editing knime.ini to tell Eclipse to use the Windows certficates, although I did not test it myself:

3 Likes

For the records: What error did you get? Bonus points for providing the full stack trace.

2 Likes

After clicking “test connection” in Elasticsearch Connector, it says:

Error connecting to Elasticsearch. Check your configuration

Note that despite this, the Elasticsearch Connector node can still be executed, and it does not display an error in the console.

2 Likes

Thanks, probably this helps @danielesser to further improve this :slight_smile:

1 Like

Whoops. Thanks for the feedback. I’ll have a look! :slight_smile:

2 Likes

@kixxalot Could you please enable DEBUG logging in KNIME (PreferencesKNIMEKNIME GUIConsole View Log Level: DEBUG) and let me know what the Console says when trying to do the connection test?

The connection test tries to query the /_cluster/health endpoint of ES and will time out after 3s. The error stack is then printed to the console in DEBUG mode.

Best regards,
Daniel

1 Like

@danielesser : to reproduce this for you, I first removed the certificate from the JRE keystore, and then did the connection test. Debug output to console (host & port anonymised):

DEBUG NodeContainerEditPart Elasticsearch Connector 0:4 (EXECUTED)
DEBUG Elasticsearch Connector 0:4 Create Elasticsearch client: protocol=https, host=xxx.xxx.xxx, port=xxxx, acceptAllCerts=true
DEBUG Elasticsearch Connector 0:4 Perform API request: method=GET, endpoint=/_cluster/health?timeout=3s, body=null
DEBUG Elasticsearch Connector 0:4 Close Elasticsearch client
DEBUG Elasticsearch Connector 0:4 Connection test failed

Thanks @kixxalot. That’s strange. Did I get it right, the connectivity check failed for you no matter if you imported the certificates or not (with option Accept all SSL certificates enabled)?

In parallel I reworked the connectivity check a bit with the lastest release and also increased the timeout. Would be great to hear if that somehow solved the issue you are experiencing.

Best regards,
Daniel

1 Like

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.