我使用openssl为elasticsearch生成自签名证书,但我无法使用此证书来启动elasticsearch。
我不断收到以下错误
[2023-07-16T19:42:22,649][ERROR][o.e.b.Elasticsearch ]
[MacBook-Pro.local] fatal exception while booting Elasticsearchorg.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/Users/mac/Documents/logging/elasticsearch/config/certs/transport.p12] does not contain any trusted certificate entries
at [email protected]/org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:617)
at java.base/java.util.HashMap.forEach(HashMap.java:1429)
at java.base/java.util.Collections$UnmodifiableMap.forEach(Collections.java:1553)
at [email protected]/org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:613)
at [email protected]/org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:159)
See logs for more details.
ERROR: Elasticsearch did not exit normally - check the logs at /Users/mac/Documents/logging/elasticsearch/logs/playground-logging.log
我一生都无法解决这个问题。
这些是我用来生成证书的命令
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
openssl genrsa -out elasticsearch.key 2048
openssl req -new -key elasticsearch.key -out elasticsearch.csr -config openssl.cnf
openssl x509 -req -in elasticsearch.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out elasticsearch.crt -days 500 -sha256 -extfile elasticsearch.cnf -extensions v3_req
openssl pkcs12 -export -out elasticsearch.p12 -inkey elasticsearch.key -in elasticsearch.crt -certfile rootCA.pem
openssl genrsa -out transport.key 2048
openssl req -new -key transport.key -out transport.csr -config openssl.cnf
openssl x509 -req -in transport.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out transport.crt -days 500 -sha256 -extfile transport.cnf -extensions v3_req
openssl pkcs12 -export -out transport.p12 -inkey transport.key -in transport.crt -certfile rootCA.pem
我的elasticsearch.yml引用生成的证书,如下所示。
# Enable security features
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: true
keystore.path: certs/elasticsearch.p12
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
有人可以帮我吗,我不知道我做错了什么。
Elasticsearch 似乎期望的文件与从 OpenSSL 获得的文件略有不同。按照 Elasticsearch 的说明进行操作:https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html
简而言之:
生成与 Elasticsearch 兼容的证书颁发机构文件:
.../bin/elasticsearch-certutil ca
生成节点特定证书:
.../bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
其中 elastic-stack-ca.p12
是第一个命令生成的文件。
将文件
elastic-certificates.p12
放入 /etc/elasticsearch
并配置 /etc/elasticsearch/elasticsearch.yml
以包含以下行:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
如果您使用
verification_mode: certificate
,您只需将相同的节点证书文件复制到集群中的每个节点即可。
请注意,如果您使用
xpack.security.transport.ssl.truststore.path
,您甚至根本不需要节点上的 CA 文件,并且文件 elastic-certificates.p12
就足够了。如果您使用 xpack.security.remote_cluster_client.ssl.certificate_authorities
,则应将 CA 文件的公共部分放入其中,然后使用通常的 TLS CA 链逻辑。请注意,您不能同时使用 truststore.path
和 certificate_authorities
,而必须选择其中一个。
官方指南的编写风格使得这一切看起来非常复杂。