Can't connect to ElasticSearch server using Java API and shield

Question

I am trying to connect to my Elasticsearch server using the Java Api and shield. I can execute index, get, delete and search operations on the existing cluster using sense plugin (e.g) and via curl on 9200. I've seen other threads about this but none of them worked and none of them were trying to connect to a Elasticsearch webserver with shield.

I used the same API to connect with my localhost of elasticsearch and it worked fine however when I try to connect with my web server I always get the same error:

Error

1342 [main] DEBUG org.elasticsearch.shield.transport.netty  - [Benjamin Jacob Grimm] connected to node [{#transport#-1}{HOST_IP}{HOST/HOST_IP:9300}]
1431 [elasticsearch[Benjamin Jacob Grimm][generic][T#1]] DEBUG org.elasticsearch.shield.transport.netty  - [Benjamin Jacob Grimm] disconnecting from [{#transport#-1}{HOST_IP}{HOST/HOST_IP:9300}], channel closed event
1463 [main] INFO org.elasticsearch.client.transport  - [Benjamin Jacob Grimm] failed to get node info for {#transport#-1}{HOST_IP}{HOST/HOST_IP:9300}, disconnecting...
NodeDisconnectedException[[][HOST/HOST_IP:9300][cluster:monitor/nodes/liveness] disconnected]

...9200/_nodes

"cluster_name": "elasticsearch",
   "nodes": {
      "UYdZbCQKQZavtFYOoUpawg": {
         "name": "Desmond Pitt",
         "transport_address": "HOST_IP:9300",
         "host": "HOST_IP",
         "ip": "HOST_IP",
         "version": "2.3.3",
         "build": "218bdf1",
         "http_address": "HOST_IP:9200",
         "settings": {
            "pidfile": "/var/run/elasticsearch/elasticsearch.pid",
            "cluster": {
               "name": "elasticsearch"
            },
            "path": {
               "conf": "/etc/elasticsearch",
               "data": "/var/lib/elasticsearch",
               "logs": "/var/log/elasticsearch",
               "home": "/usr/share/elasticsearch"
            },
            "shield": {
               "http": {
                  "ssl": "true"
               },
               "https": {
                  "ssl": "true"
               },
               "transport": {
                  "ssl": "true"
               }
            },
            "name": "Desmond Pitt",
            "client": {
               "type": "node"
            },
            "http": {
               "cors": {
                  "allow-origin": "*",
                  "allow-headers": "Authorization, Origin, X-Requested-With, Content-Type, Accept",
                  "allow-credentials": "true",
                  "allow-methods": "OPTIONS, HEAD, GET, POST, PUT, DELETE",
                  "enabled": "true"
               }
            },
            "index": {
               "queries": {
                  "cache": {
                     "type": "opt_out_cache"
                  }
               }
            },
            "foreground": "false",
            "config": {
               "ignore_system_properties": "true"
            },
            "network": {
               "host": "HOST_IP",
               "bind_host": "0.0.0.0",
               "publish_host": "HOST_IP"
            }
         }

Java code:

TransportClient client = TransportClient.builder()
    .addPlugin(ShieldPlugin.class)
    .settings(Settings.builder()
        .put("cluster.name", ClusterName)
        .put("shield.user", "USER:PASSWORD")
        .build())
    .build()
    .addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(HOST), 9300));

I've tried as stated on Can't connect to ElasticSearch server using Java API to sync my Java API java version and my server and currently i'm using:

Java API:

C:\Program Files\Java\jdk1.8.0_92

Server:

"version": "1.8.0_91",
"vm_name": "OpenJDK 64-Bit Server VM",

I don't know if it has any problem using ...0_91 and 0_92 but doesn't seem to make any difference because the java API works weel on my localhost server.

If you need more information feel free to ask. Thanks in advance!

UPDATE:

Changes I did in elasticsearch.yml

shield.ssl.keystore.path:          /usr/share/elasticsearch/bin/shield/elastic.jks
shield.ssl.keystore.password:      password
shield.ssl.keystore.key_password:  password

shield.transport.ssl: true
shield.http.ssl: true
shield.https.ssl: true

network.host: HOST_IP
network.publish_host: HOST_IP
shield.ssl.hostname_verification.resolve_name: false

Result of https://HOST:9200/_cluster/health?pretty=true

{
   "cluster_name": "elasticsearch",
   "status": "yellow",
   "timed_out": false,
   "number_of_nodes": 1,
   "number_of_data_nodes": 1,
   "active_primary_shards": 5,
   "active_shards": 5,
   "relocating_shards": 0,
   "initializing_shards": 0,
   "unassigned_shards": 5,
   "delayed_unassigned_shards": 0,
   "number_of_pending_tasks": 0,
   "number_of_in_flight_fetch": 0,
   "task_max_waiting_in_queue_millis": 0,
   "active_shards_percent_as_number": 50
}

UPDATE2:

I've tried activate SSL according to official documentation and I got the following errors:

2082 [elasticsearch[Steel Serpent][transport_client_worker][T#1]{New I/O worker #1}] DEBUG org.elasticsearch.shield.transport.netty  - [Steel Serpent] SSL/TLS handshake failed, closing channel: null
java.nio.channels.ClosedChannelException
    at org.jboss.netty.handler.ssl.SslHandler.channelDisconnected(SslHandler.java:575)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:102)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
    at org.jboss.netty.channel.Channels.fireChannelDisconnected(Channels.java:396)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.close(AbstractNioWorker.java:360)
    at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:93)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
    at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
    at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
    at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
    at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

Temporary Solution

After that try I did as Vladislav Kysliy suggested and disabled SSL and it worked but I'm looking for a real solution and not a temporary one.

Answer 1

As i can see you enabled SSL encryption. But your java code didn't activate SSL. According official documentation you should use something like this:

TransportClient client = TransportClient.builder()
.addPlugin(ShieldPlugin.class)
.settings(Settings.builder()
    .put("cluster.name", "myClusterName")
    .put("shield.user", "transport_client_user:changeme")
    .put("shield.ssl.keystore.path", "/path/to/client.jks") (1)
    .put("shield.ssl.keystore.password", "password")
    .put("shield.transport.ssl", "true")
    ...
    .build())

Moreover i would test my code without any encryption and add some new features(e.g SSL) to config and code step by step.

UPD: To be honest remotely fixing ssl issues will be tricky. This errors often appeared when client sends an invalid SSL certificate. Probably you need to disable client auth

Because of you use SSL + Shield the main idea is check your functionality step-by-step: disable SSL - check in Java -API client, enable SSL - check again.