Elasticsearch SSL 设置 [xpack.security.transport.ssl] - 无法读取配置的 [PKCS12] 密钥库(作为信任库)

问题描述 投票:0回答:1

我正在尝试在elasticsearch上设置Kibanna,我使用的是debain 12和elasticsearch 8.15.0。

我运行了以下命令来生成带有密码的 ca。

/usr/share/elasticsearch/bin/elasticsearch-certutil ca

在此处生成 ca 文件:

/usr/share/elasticsearch/elastic-stack-ca.p12

我跑了

/usr/share/elasticsearch/bin/elasticsearch-certutil http

将这些文件复制到 

/etc/elasticsearch/es-new-cert

修改 

/etc/elasticsearch/elasticsearch.yml
为:

# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true

xpack.security.http.ssl:
  enabled: true
  keystore.path: es-new-cert/elasticsearch/http.p12
  truststore.path: es-new-cert/elasticsearch/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: es-new-cert/elasticsearch/http.p12
  truststore.path: es-new-cert/elasticsearch/http.p12

然后我添加了密码:

sudo /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password

但是每次我尝试重新启动elasticsearch 时都会收到以下错误:

[2024-10-16T17:41:30,890][ERROR][o.e.b.Elasticsearch      ] [elasticsearch] fatal exception while booting Elasticsearch
org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] keystore (as a truststore) [/etc/elasticsearch/es-new-cert/elasticsearch/http.p12] - this is usually caused by an incorrect password; (a keystore password was provided)
    at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:620) ~[?:?]
    at java.util.HashMap.forEach(HashMap.java:1429) ~[?:?]
    at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1708) ~[?:?]
    at org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:616) ~[?:?]
    at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:160) ~[?:?]
    at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:496) ~[?:?]
    at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:325) ~[?:?]
    at org.elasticsearch.node.NodeConstruction.lambda$construct$13(NodeConstruction.java:868) ~[elasticsearch-8.15.0.jar:?]
    at org.elasticsearch.plugins.PluginsService.lambda$flatMap$1(PluginsService.java:253) ~[elasticsearch-8.15.0.jar:?]
    at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:288) ~[?:?]
    at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:212) ~[?:?]
    at java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:722) ~[?:?]
    at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:556) ~[?:?]
    at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:546) ~[?:?]
    at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:622) ~[?:?]
    at java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:291) ~[?:?]
    at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:631) ~[?:?]
    at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:637) ~[?:?]
    at java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:642) ~[?:?]
    at org.elasticsearch.node.NodeConstruction.construct(NodeConstruction.java:868) ~[elasticsearch-8.15.0.jar:?]
    at org.elasticsearch.node.NodeConstruction.prepareConstruction(NodeConstruction.java:270) ~[elasticsearch-8.15.0.jar:?]
    at org.elasticsearch.node.Node.<init>(Node.java:192) ~[elasticsearch-8.15.0.jar:?]
    at org.elasticsearch.bootstrap.Elasticsearch$2.<init>(Elasticsearch.java:242) ~[elasticsearch-8.15.0.jar:?]
    at org.elasticsearch.bootstrap.Elasticsearch.initPhase3(Elasticsearch.java:242) ~[elasticsearch-8.15.0.jar:?]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:76) ~[elasticsearch-8.15.0.jar:?]
Caused by: org.elasticsearch.common.ssl.SslConfigException: cannot read configured [PKCS12] keystore (as a truststore) [/etc/elasticsearch/es-new-cert/elasticsearch/http.p12] - this is usually caused by an incorrect password; (a keystore password was provided)
    at org.elasticsearch.common.ssl.SslFileUtil.ioException(SslFileUtil.java:56) ~[?:?]
    at org.elasticsearch.common.ssl.StoreTrustConfig.readKeyStore(StoreTrustConfig.java:98) ~[?:?]
    at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:82) ~[?:?]
    at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:479) ~[?:?]
    at java.util.HashMap.computeIfAbsent(HashMap.java:1228) ~[?:?]
    at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:618) ~[?:?]
    ... 24 more
Caused by: java.io.IOException: keystore password was incorrect
    at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2098) ~[?:?]
    at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:228) ~[?:?]
    at java.security.KeyStore.load(KeyStore.java:1499) ~[?:?]
    at org.elasticsearch.common.ssl.KeyStoreUtil.readKeyStore(KeyStoreUtil.java:72) ~[?:?]
    at org.elasticsearch.common.ssl.StoreTrustConfig.readKeyStore(StoreTrustConfig.java:94) ~[?:?]
    at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:82) ~[?:?]
    at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:479) ~[?:?]
    at java.util.HashMap.computeIfAbsent(HashMap.java:1228) ~[?:?]
    at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:618) ~[?:?]
    ... 24 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2098) ~[?:?]
    at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:228) ~[?:?]
    at java.security.KeyStore.load(KeyStore.java:1499) ~[?:?]
    at org.elasticsearch.common.ssl.KeyStoreUtil.readKeyStore(KeyStoreUtil.java:72) ~[?:?]
    at org.elasticsearch.common.ssl.StoreTrustConfig.readKeyStore(StoreTrustConfig.java:94) ~[?:?]
    at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:82) ~[?:?]
    at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:479) ~[?:?]
    at java.util.HashMap.computeIfAbsent(HashMap.java:1228) ~[?:?]
    at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:618) ~[?:?]
    ... 24 more

提及密码、密码、“secure_password”、密钥库、信任库……我做错了什么?

root@elasticsearch:~# sudo /usr/share/elasticsearch/bin/elasticsearch-keystore list
autoconfiguration.password_hash
keystore.seed
xpack.security.http.ssl.keystore.secure_password
xpack.security.http.ssl.truststore.secure_password
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password

通过在以下命令中输入密码,我可以成功查看私钥/证书:

openssl pkcs12 -in /etc/elasticsearch/es-new-cert/elasticsearch/http.p12 -info -nodes
elasticsearch kibana
1个回答
0
投票

对于 

transport
,请使用 
elastic-certificates.p12
证书,而不是 
elasticsearch/http.p12

xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

如果您遇到困难,请检查以下文档。 https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.