在ping期间发现的主节点不足-Elasticsearch群集自签名证书

时间:2019-03-28 21:20:25

标签: elasticsearch ssl-certificate

我使用SearchGuard对this guide之后的ElasticSearch集群中的节点进行加密

大师:

cluster.name: client1
searchguard.enterprise_modules_enabled: false


node.name: ekl.test.com
node.master: true
node.data: true
node.ingest: true


network.host: 0.0.0.0

#http.host: 0.0.0.0
network.publish_host: ["ekl1.test1.com","ekl.test.com"]



http.port: 9200


discovery.zen.ping.unicast.hosts: ["ekl.test.com", "ekl1.test1.com"]


discovery.zen.minimum_master_nodes: 1

xpack.security.enabled: false


searchguard.ssl.transport.pemcert_filepath: '/etc/elasticsearch/ssl/node1.pem'
searchguard.ssl.transport.pemkey_filepath: 'ssl/node1.key'
searchguard.ssl.transport.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: '/etc/elasticsearch/ssl/node1_http.pem'
searchguard.ssl.http.pemkey_filepath: '/etc/elasticsearch/ssl/node1_http.key'
searchguard.ssl.http.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.nodes_dn:
- CN=ekl.test.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
- CN=ekl1.test1.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
searchguard.authcz.admin_dn:
- CN=admin.test.com,OU=Ops,O=BugBear Com\, Inc.,DC=example,DC=com

节点:

cluster.name: client1
searchguard.enterprise_modules_enabled: false


node.name: ekl1.test.com
node.master: false
node.data: true
node.ingest: false


network.host: 0.0.0.0

#http.host: 0.0.0.0
network.publish_host: ["ekl1.test1.com","ekl.test.com"]



http.port: 9200


discovery.zen.ping.unicast.hosts: ["ekl.test.com", "ekl1.test1.com"]


discovery.zen.minimum_master_nodes: 1

xpack.security.enabled: false


searchguard.ssl.transport.pemcert_filepath: '/etc/elasticsearch/ssl/node2.pem'
searchguard.ssl.transport.pemkey_filepath: 'ssl/node2.key'
searchguard.ssl.transport.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: '/etc/elasticsearch/ssl/node2_http.pem'
searchguard.ssl.http.pemkey_filepath: '/etc/elasticsearch/ssl/node2_http.key'
searchguard.ssl.http.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.nodes_dn:
- CN=ekl.test.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
- CN=ekl1.test1.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
searchguard.authcz.admin_dn:
- CN=admin.test.com,OU=Ops,O=BugBear Com\, Inc.,DC=example,DC=com
Certificates are self-signed

从节点我可以通过ping和

主机名远程登录到端口9200/9300

curl -kvX GET“ https://admin:pass@ekl.test.com:9200”工作正常。 节点上的错误:

[ekl1.test1.com]在ping期间发现的主节点不足(找到[],但需要1),再次ping

两个服务器名称都是正确的

我怀疑问题出在自签名证书中,我将其导入了受信任的根CA锚,但仍然存在错误。

如果我指定IP而不是主机名,则会得到:

在http中发现非法参数或传输请求。 这意味着一个节点正在尝试通过 非节点证书(未配置OID或searchguard.nodes_dn错误)或某人 欺骗请求。

  

ES Config路径为/ etc / elasticsearch   [2019-03-28T21:25:56,450]由于Java,[INFO] [cfssDefaultSearchGuardKeyStore]> [ekl1.test1.com] OpenSSL不可用(这不是错误,我们只是>回退到内置JDK SSL) .lang.ClassNotFoundException:> io.netty.internal.tcnative.SSL

1 个答案:

答案 0 :(得分:0)

发现它:必须添加到非主用户中:

transport.tcp.port: 9300
discovery.zen.ping.unicast.hosts: ["ekl.test.com:9300"]
transport.host: ekl1.test1.com