CA certificates generated using elasticsearch-certutil fail when used in Python3.13

[redbaron4]

I am not sure if this is a client or elasticsearch bug or caused by some mistake on my part.

We have a test setup for elasticsearch. The setup runs on Elasticsearch-8.6. For security setup, we generate our own CA certificate using elasticsearch-certutil ca --pem command and then use that CA to generate other elasticsearch certificates.

We use elasticsearch-py client to run various tasks on this cluster. The client is configured with ca_certs=/path/to/our/ca.crt. If we use Python3.12, the client works correctly.

However, when we use Python-3.13 (on the same system), the requests fail with

elastic_transport.TlsError: TLS error caused by: TlsError(TLS error caused by: SSLError([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: CA cert does not include key usage extension (_ssl.c:1020)))

elasticsearch-py version : 8.16.0 (Cluster is 8.6)
OS: Rocky9.5

Requests to cluster made with curl with --cacert pointing to same cert succeed.

[pquentin]

Hello, yes that's correct. I noticed this when adding Python 3.13 support to the client, and then meant to follow-up with an Elasticsearch issue but never got to it, sorry. That's now done: elastic/elasticsearch#117769.

As a workaround, you can disable the new X509_VERIFY_STRICT flag introduced by Python 3.13:

import ssl
from elasticsearch import Elasticsearch

ctx = ssl.create_default_context()
ctx.load_verify_locations("http_ca.crt")
ctx.verify_flags &= ~ssl.VERIFY_X509_STRICT

client = Elasticsearch(
    "https://localhost:9200",
    ssl_context=ctx,  # replaces ca_certs="http_ca.crt",
    api_key="...",
)
print(client.info())

[pquentin]

Closing as there's nothing actionable left in the Python client. Feel free to upvote the Elasticsearch issue at elastic/elasticsearch#117769 if this affects you. Thank you.