Allow self-signed SSL certificates

[blindpet]

I am preparing a tutorial for ElasticPress behind an nginx reverse proxy with basic http auth and whitelisting. I am able to connect from ElasticPress to Elasticsearch with the basic http auth, however when I add a self-signed certificate and change to https in ElasticPress it no longer connects.

This is how I am generating the ssl certificate

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

and the ssl settings in the nginx virtual host

 server {
    listen 9000 ssl;
       ssl_certificate /etc/nginx/ssl/nginx.crt;
       ssl_certificate_key /etc/nginx/ssl/nginx.key;
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_prefer_server_ciphers on;
       ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
       ssl_session_cache shared:SSL:10m;

    auth_basic "Protected Elasticsearch";
    auth_basic_user_file /etc/nginx/.elasticsearch-htpasswd;

    location / {
        proxy_pass http://127.0.0.1:9200;
        proxy_redirect off;
        #restrict IPs
#        allow ipaddress;
#        deny all;
    }

[Ritesh-patel]

Hi @blindpet

ElasticPress uses wp_remote_request to make connection with Elasticsearch host. Are you seeing any error in error log which can give us more information from where it's breaking? I suggest you to check https://code.tutsplus.com/tutorials/a-guide-to-the-wordpress-http-api-the-basics--wp-25125 and other online resources for WP HTTP API, that might help.

[blindpet]

The issue is the self-signed certificate, the remote request needs to let sslverify=>false exactly as that tutorial says, it would be a valuable option for self-hosters @Ritesh-patel

[Ritesh-patel]

Hi @blindpet

You can utilise http_request_args filter to set that value. Let us know if that helps or not.

Regards,
Ritesh

[wpbullet]

Hi @Ritesh-patel I don't really do php development. I do server configurations. Do you have a snippet I can add to test this? It seems having this as an option would be really useful for external encrypted elasticsearch hosts. The setup would usually be whitelisting the host and using https with a self-signed certificate (since domain names aren't really important for elasticsearch hosting), so having sslverify=> false by default would be ideal.

[Ritesh-patel]

Hi @wpbullet

You can add following snippet in your theme or in a custom plugin which will set sslveify to false only if it's ElasticPress request.

function custom_ep_http_request_args( $args, $url ) {
	
	//set sslverify to false only if it's ElasticPress request.
	if( 0 === strpos( $url, ep_get_host() ) ) {
		$args['sslverify'] = false;
	}
	
	return $args;
}

add_filter( 'http_request_args', 'custom_ep_http_request_args', 99, 2 );

[Ritesh-patel]

Hi @blindpet and @wpbullet

Due to inactivity we are closing this request.

Please reopen this request if above code didn't help.

Regards,
Ritesh

[roditi3811]

Hello, I am using EP with a self signed certificate, but when adding this code, I get an error:
Uncaught Error: Call to undefined function ep_get_host()
I see this answer is quite old, has something changed with the function's name?
Thanks!

[maiorano84]

Turning off SSL verification - even if it's only an ElasticPress call - is not a solution, and should absolutely NOT be recommended for anybody who actually cares about using SSL properly.

I'm running my secured ElasticSearch cluster in Kubernetes alongside Wordpress, and had to wrestle with getting a self-signed certificate to work alongside ElasticPress. This is more of a Wordpress issue than an ElasticPress issue, but there should really be an option to allow for users to specify an absolute path to a certificate file on the server.

In lieu of an update that actually addresses the problem rather than telling users to "turn off SSL verification for ElasticPress calls", I've instead updated to append my SSL certificate to the bundle in Wordpress' wp-includes/certificates/ca-bundle.crt file on container startup for now.

This too is not a great option, since it doesn't account for use-cases outside of a Kubernetes environment, and having to deal with updates to the core. Instead, I will be looking into offering up a potential workaround by leveraging at least one helpful tool that ElasticPress offers, which is the ep_intercept_remote_request filter, which offers us the ability to return our own request.

In theory, the workaround should look something like this:

add_filter('ep_intercept_remote_request', '__return_true');
add_filter('ep_do_intercept_request', function($err, $query, $args, $failures){
    $args['sslcertificates'] = apply_filters('ep_use_ca_certificate_path', ABSPATH . WPINC . '/certificates/ca-bundle.crt');
    return wp_remote_request( $query['url'], $args );
}, 10, 4);
// This part is what you can use to specify a custom certificate path
add_filter('ep_use_ca_certificate_path', function($path){
    return '/path/to/custom/certificate';
});

I'll be playing with this more to determine its viability, but this should at least help point people in the right direction rather than telling them to skip SSL Verification entirely.

[maiorano84]

@roditi3811

The function that you're looking for was moved under the ElasticPress\Utils namespace defined in elasticpress/includes/utils.php.

You can call it via either of the following:

Longhand
ElasticPress\Utils\get_host();

Alias

use function ElasticPress\Utils\get_host as ep_get_host; // (Goes at the top of your file)
ep_get_host();

[maiorano84]

For anybody coming across this issue, ElasticPress has a bug in which attempting to call any remote request filter hooks (ep_pre_request_args, http_request_args, etc.) from within a theme's functions.php file will not execute early enough for the plugin's internal get_elasticsearch_version checks to recognize any custom SSL settings.

This can lead to the There is a problem with connecting to your Elasticsearch host. ElasticPress can try your host again, or you may need to change your settings. message in your Wordpress Admin Panel, and debugging the exact problem caused several nights of me pulling my hair out.

To save you the time and heartache, I have a couple of workarounds outlined in my connected issue listed above. Hopefully this helps.