Kibana没有连接elasticsearch shield SSL

时间:2016-04-22 11:47:50

标签: ssl elasticsearch ssl-certificate kibana-4

我们尝试在本地机器中设置屏蔽SSL。

Elasticsearch version : 2.2.1
Kibana version : 4.4.1
Shield version : Latest version

我们生成了自签名的crt,key,pem文件,如下所示:

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
openssl req -out CSR.csr -key privateKey.key -new
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
openssl x509 -in certificate.crt -out certificate.pem
keytool -importcert -keystore node01.jks -file certificate.pem -alias my_ca
keytool -certreq -alias node01 -keystore node01.jks -file CSR.csr -keyalg rsa -ext san=dns:XXX.com,ip:XXXX.xxxx.xxx
keytool -importcert -keystore node01.jks -file Certificate-signed.crt -alias node01
openssl x509 -in Certificate-signed.crt -out node01-signed-noheaders.crt

并添加盾牌配置。

盾牌配置:

shield.http.ssl: true
shield.transport.ssl: true
shield.ssl.keystore.key_password: XXXXX
shield.ssl.keystore.password: XXXX
shield.ssl.keystore.path: /es/config/shield/node01.jks
network.host: XX.XX.XX.XX

Kibana配置:

elasticsearch.url: "https://XXXXX:9200"
elasticsearch.username: "username"
elasticsearch.password: "password"
elasticsearch.ssl.cert: /XXX/XXX/XXX/elasticsearchtls.crt
elasticsearch.ssl.key: /XXX/XXX/XXX/elasticsearchtls.key
elasticsearch.ssl.ca: /XXX/XXX/XXX/elasticsearch.pem
elasticsearch.ssl.verify: true

因此,当运行kibana时,下面的错误会显示在elasticsearch日志中:

log [12:24:25.512] [error][elasticsearch] Request error, retrying -- self signed certificate
log [12:24:25.622] [warning][elasticsearch] Unable to revive connection: https://XXXX:9200/
log [12:24:25.624] [warning][elasticsearch] No living connections
log [12:24:25.627] [error][status][plugin:elasticsearch] Status changed from yellow to red - Unable to connect to Elasticsearch at https://XXXXXX:9200.

之后当我更改elasticsearch.ssl.verify: false Kibana工作正常,但在elasticsearch日志中显示一些错误:

ElasticsearchSecurityException[missing authentication token for REST request [/_mget?timeout=0&ignore_unavailable=true&preference=1461307913497]]

在弹性客户端也会遇到同样的问题。当我们使用rejectUnauthorized:true时,客户端不会连接到elasticsearch。

我的问题是:

  • 是在Elasticsearch,Kibana工作的自签名证书吗?
  • 我们是否必须购买商业CA证书?
  • 我们错过了什么吗?

1 个答案:

答案 0 :(得分:1)

生成和导入密钥时,您正在使用不必要的步骤。您生成的证书也未由CA签名,因此永远不会被信任

除非您有大型部署,否则我只使用自签名证书,而不是由自签名CA签署的证书。

1)生成带有SAN扩展的自签名证书,如How can I generate a self-signed certificate with SubjectAltName using OpenSSL?

所示

2)将密钥和证书合并到PKCS12容器中,并将其导入到java密钥库,如此处所述importing an existing x509 certificate and private key in Java keystore to use in ssl

相关问题
最新问题