Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Server certificate CA fingerprint does not match the value configured in caFingerprint

See original GitHub issue

I tried to discuss this on the forum but haven’t found any help yet.

I was trying to use the CA Fingerprint in my Client to connect to the servers but would randomly get error messages after some time:

{
    "error": "ConnectionError",
    "message": "Server certificate CA fingerprint does not match the value configured in caFingerprint",
}

It works and then it doesn’t work, but I can’t find anything that changes that might cause the issue or reproduce it easily because it’s very random. I was able to overcome this by including the CA file instead of the CA Fingerprint and it seems to be working without issue now… but the CA Fingerprint would be much easier to add to an env variable.

Do you have any advice or any ideas on what might be causing this issue? It seems like restarting my proxy server did resolve the issue last time so I believe it might be related to the Javascript client now?

Issue Analytics

State:
Created a year ago
Reactions:1
Comments:6 (1 by maintainers)

Top GitHub Comments

4reactions

alaparsalancommented, Dec 19, 2022

Guys, you need to go to your ES installations directory in the bin folder there’s script 'elasticsearch-certgen’ this can help eg: C:\elasticsearch-8.5.3\bin\elasticsearch-certgen

execute this using CMD, you will get certificates to use in your client app this is how in my Node CODE { node: 'https://localhost:9200', auth: { username: 'elastic', password: 'SOMETHIN...', }, tls: { // might be required if it's a self-signed certificate ca: fs.readFileSync('./PATH_TO/NAME_OF.crt'), rejectUnauthorized: false, }, }

1reaction

petrsieglcommented, Jul 26, 2022

I have the same issue. Once in a while the mentioned error happens: Server certificate CA fingerprint does not match the value configured in caFingerprint

This is client init:

const client = new Client({
  node: "https://...:9200",
  auth: {
    apiKey: "...",
  },
  caFingerprint: "...",
  tls: {
    rejectUnauthorized: false,
  },
});

client version is @elastic/elasticsearch@8.2.1.
single node cluster
connecting using IP directly to the server - no reverse proxy

Top Results From Across the Web

Server certificate CA fingerprint does not match the value ...

Hey, I'm using Elasticsearch with a Javascript proxy, almost exactly the same as the example provided here: ...

Elasticsearch X-Pack valid ssl certificate not trusted by client ...

To workaround the issue we used the CA Full chain as value of the xpack.security.http.ssl.certificate parameter. According to the configuration ...

KB5014754—Certificate-based authentication changes on ...

Update all servers that run Active Directory Certificate Services and Windows domain controllers that service ... Users SID does not match Certificate SID....

NetBackup™ Security and Encryption Guide - Veritas

The master server administrator must find the fingerprint of the CA certificate and communicate it to the administrator of the individual ...

root-certificate fingerprint

Verifies the fingerprint contained in the CA certificate with the one configured in the PKI domain. If the two fingerprints do not match,...