Configure ElasticSearch to trust the HTTPS connection towards FogBugz On-Premise


Follow

Overview

You might receive the following error in FogBugz On-Premise for some filters after you Configure FogBugz On-Premises to Use HTTPS  or you update the SSL/TLS certificate used by your FogBugz On-Premise:

Unexpected Search Response

 


Prerequisites

  • Administrator rights on the IIS server hosting FogBugz On-Premise
  • Administrator rights on the server that is hosting ElasticSearch

 


Diagnosis

Similarly to how browsers check the validity of the SSL certificates provided by servers when connecting using HTTPS, also ElasticSearch checks the certificate provided by your FogBugz server.

ElasticSearch is written in Java language. As such it uses the certificate information available in Java Trust Store. 

If you recently changed your FogBugz On-Premise to use SSL/TLS certificate, or you are using a certificate signed by a Certificate Authority that is not automatically trusted by the Java Trust Store, or your certificate has expired, ElasticSearch might not be able to connect to your FogBugz.

Note: Self-signed certificates are also considered not-trusted by default by the Java Trust Store.

 

Back to the top


Solution

To resolve this issue, you need to import into the Java Trust Store the same certificate that is used by the FB GEN ALL site on your IIS Server.

Note: These steps are not about changing how ElasticSearch is accessed, but changing how ElasticSearch accesses FogBugz. After executing these steps, ElasticSearch will be available on localhost in the same way as before executing these steps.

 

You will need the certificate in Base-64 encoded X.509 format.

This can be achieved using the following steps:

  1. Export the certificate from IIS - you can skip this step if you already have the certificate in Base-64 encoded X.509 format
  2. Import your certificate into the Java Trust Store 

 

Exporting the SSL Certificate from IIS

The surest way to ensure that your FogBugz On-Premise and ElasticSearch use the same certificate is to export the certificate from IIS and import it into the Java Trust Store.

  1. Go to your IIS Manager.
  2. Collapse Server > Sites.
  3. Right-click on FB GEN ALL and select Edit Bindings.
     
    mceclip0.png
     
  4. Under Site Bindings, select the domain that is using port 443 and click Edit.
     
    mceclip0.png
     
  5. Click View.
     
    mceclip1.png
     
  6. Select the Details tab and click on the Copy to File button.
     
    mceclip3.png
     
  7. Under Export File Format, select Base-64 encoded X.509 (.CER).
     
    mceclip5.png
     
    IMPORTANT: Do NOT export the private key.

    mceclip4.png


  8. Under File to Export specify the file name and location where to export the file.
  9. Click Finish to export the certificate file.

 

Back to the top


Importing the Certificate to the Java Trust Store

  1. Run Windows PowerShell as Administrator.

    mceclip6.png
     
  2. Run the following command.
     
    keytool -import -v -alias <friendly_name_of_your_certificate> -keystore $Env:JAVA_HOME\jre\lib\security\cacerts -file <full_path_to_the_exported_certificate_file>.cer
  3. Replace the following values in the command above:
    • <friendly_name_of_your_certificate>
    • <full_path_to_the_exported_certificate_file>.cer
  4. Enter the password for the Trust Store.
    The default password for the Trust Store is changeit.
  5. When the system asks to trust the key, type YES and hit Enter for the Java Trust Store to accept the certificate.
  6. Restart the FogBugz ElasticSearch service.
     
    mceclip1.png
     
  7. Restart Internet Services.
     
    mceclip2.png

Back to top


 

Testing

  1. After restarting IIS and Elastic Search, check that Elastic Search is up and running by accessing its health status URL: 
    http://localhost:9200/_cluster/health

     

    ES_Cluster_Health.jpg

  2. Repeat the same search the was giving you Unexpected Search Response. It should give you the correct results.
  3. If you experience that your search results are incomplete you might also need to reset ElasticSearch Indexer Backfill.

 

Back to top


 

Related Articles