各位前辈好,我最近在学习ES6.8的安全特性,想要在开启TLS的前提下,通过Transportclient连接到ES集群;
按照官方文档的说明,首先我创建了一个CA,并用这个CA签署了一个私钥与证书;
elasticsearch-certutil ca --pem
elasticsearch-certutil cert --ca-cert ca/ca.crt --ca-key ca/ca.key --pem --name client --out client.zip
之后我将它们分别配置到了elasticsearch.yml文件里:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: instance/instance.key
xpack.security.transport.ssl.certificate: instance/instance.crt
xpack.security.transport.ssl.certificate_authorities: [ "ca/ca.crt" ]
之后我再次使用命令,用同一个CA签署了新的私钥与证书(这次签署的是用在本地客户端上的)
elasticsearch-certutil cert --ca-cert ca/ca.crt --ca-key ca/ca.key --pem --name instance--out instance.zip
我把ca、新的私钥与证书,从ES服务器拷贝到了我的本地桌面,并在java程序里添加了信息:
Settings.Builder builder = Settings.builder();
builder.put("cluster.name",es_server_clustername);
builder.put("xpack.security.user", username+":"+password);
builder.put("xpack.ssl.key", "C:\\Users\\Shiki\\Desktop\\ca\\local.key");
builder.put("xpack.ssl.certificate", "C:\\Users\\Shiki\\Desktop\\ca\\local.crt");
builder.put("xpack.ssl.certificate_authorities", "C:\\Users\\Shiki\\Desktop\\ca\\ca.crt"); builder.put("xpack.security.transport.ssl.enabled", "true");
Settings settings = builder.build(); client = new PreBuiltXPackTransportClient(settings);
然后执行程序,结果就报错了,ES日志显示:
client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/172.16.3.137:54781}
求教各位前辈,我明明用的是同一个CA签署的啊,复制到本地的CA也是跟ES的CA一模一样,为啥就不信任了呢……
诚心求教这个问题!
按照官方文档的说明,首先我创建了一个CA,并用这个CA签署了一个私钥与证书;
elasticsearch-certutil ca --pem
elasticsearch-certutil cert --ca-cert ca/ca.crt --ca-key ca/ca.key --pem --name client --out client.zip
之后我将它们分别配置到了elasticsearch.yml文件里:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: instance/instance.key
xpack.security.transport.ssl.certificate: instance/instance.crt
xpack.security.transport.ssl.certificate_authorities: [ "ca/ca.crt" ]
之后我再次使用命令,用同一个CA签署了新的私钥与证书(这次签署的是用在本地客户端上的)
elasticsearch-certutil cert --ca-cert ca/ca.crt --ca-key ca/ca.key --pem --name instance--out instance.zip
我把ca、新的私钥与证书,从ES服务器拷贝到了我的本地桌面,并在java程序里添加了信息:
Settings.Builder builder = Settings.builder();
builder.put("cluster.name",es_server_clustername);
builder.put("xpack.security.user", username+":"+password);
builder.put("xpack.ssl.key", "C:\\Users\\Shiki\\Desktop\\ca\\local.key");
builder.put("xpack.ssl.certificate", "C:\\Users\\Shiki\\Desktop\\ca\\local.crt");
builder.put("xpack.ssl.certificate_authorities", "C:\\Users\\Shiki\\Desktop\\ca\\ca.crt"); builder.put("xpack.security.transport.ssl.enabled", "true");
Settings settings = builder.build(); client = new PreBuiltXPackTransportClient(settings);
然后执行程序,结果就报错了,ES日志显示:
client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/172.16.3.137:54781}
求教各位前辈,我明明用的是同一个CA签署的啊,复制到本地的CA也是跟ES的CA一模一样,为啥就不信任了呢……
诚心求教这个问题!
2 个回复
zqc0512 - andy zhou
赞同来自:
这玩意修改成
xpack.security.transport.ssl.verification_mode: none就OK了。
zqc0512 - andy zhou
赞同来自: