Q:有两个人掉到陷阱里了,死的人叫死人,活人叫什么?

开启TLS后,ES集群不信任证书

Elasticsearch | 作者 yeziblo | 发布于2019年06月20日 | 阅读数:647

各位前辈好,我最近在学习ES6.8的安全特性,想要在开启TLS的前提下,通过Transportclient连接到ES集群;
 
按照官方文档的说明,首先我创建了一个CA,并用这个CA签署了一个私钥与证书;
elasticsearch-certutil ca --pem
elasticsearch-certutil cert --ca-cert ca/ca.crt --ca-key ca/ca.key --pem --name client --out client.zip
 
之后我将它们分别配置到了elasticsearch.yml文件里:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: instance/instance.key
xpack.security.transport.ssl.certificate: instance/instance.crt
xpack.security.transport.ssl.certificate_authorities: [ "ca/ca.crt" ]
 
之后我再次使用命令,用同一个CA签署了新的私钥与证书(这次签署的是用在本地客户端上的)
elasticsearch-certutil cert --ca-cert ca/ca.crt --ca-key ca/ca.key --pem --name instance--out instance.zip
 
我把ca、新的私钥与证书,从ES服务器拷贝到了我的本地桌面,并在java程序里添加了信息:

Settings.Builder builder = Settings.builder();
builder.put("cluster.name",es_server_clustername);
builder.put("xpack.security.user", username+":"+password);
builder.put("xpack.ssl.key", "C:\\Users\\Shiki\\Desktop\\ca\\local.key");
builder.put("xpack.ssl.certificate", "C:\\Users\\Shiki\\Desktop\\ca\\local.crt");
builder.put("xpack.ssl.certificate_authorities", "C:\\Users\\Shiki\\Desktop\\ca\\ca.crt"); builder.put("xpack.security.transport.ssl.enabled", "true");
Settings settings = builder.build(); client = new PreBuiltXPackTransportClient(settings);
 
然后执行程序,结果就报错了,ES日志显示:
client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/172.16.3.137:54781}

求教各位前辈,我明明用的是同一个CA签署的啊,复制到本地的CA也是跟ES的CA一模一样,为啥就不信任了呢……
 
诚心求教这个问题!
已邀请:

zqc0512 - andy zhou

赞同来自:

xpack.security.transport.ssl.verification_mode: certificate
这玩意修改成
xpack.security.transport.ssl.verification_mode: none就OK了。
 

zqc0512 - andy zhou

赞同来自:

还是就是签发的时候有IP地址和域名 连接的时候要用这玩意……

要回复问题请先登录注册