我使用SearchGuard对this guide之后的ElasticSearch集群中的节点进行加密
大师:
cluster.name: client1
searchguard.enterprise_modules_enabled: false
node.name: ekl.test.com
node.master: true
node.data: true
node.ingest: true
network.host: 0.0.0.0
#http.host: 0.0.0.0
network.publish_host: ["ekl1.test1.com","ekl.test.com"]
http.port: 9200
discovery.zen.ping.unicast.hosts: ["ekl.test.com", "ekl1.test1.com"]
discovery.zen.minimum_master_nodes: 1
xpack.security.enabled: false
searchguard.ssl.transport.pemcert_filepath: '/etc/elasticsearch/ssl/node1.pem'
searchguard.ssl.transport.pemkey_filepath: 'ssl/node1.key'
searchguard.ssl.transport.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: '/etc/elasticsearch/ssl/node1_http.pem'
searchguard.ssl.http.pemkey_filepath: '/etc/elasticsearch/ssl/node1_http.key'
searchguard.ssl.http.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.nodes_dn:
- CN=ekl.test.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
- CN=ekl1.test1.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
searchguard.authcz.admin_dn:
- CN=admin.test.com,OU=Ops,O=BugBear Com\, Inc.,DC=example,DC=com
节点:
cluster.name: client1
searchguard.enterprise_modules_enabled: false
node.name: ekl1.test.com
node.master: false
node.data: true
node.ingest: false
network.host: 0.0.0.0
#http.host: 0.0.0.0
network.publish_host: ["ekl1.test1.com","ekl.test.com"]
http.port: 9200
discovery.zen.ping.unicast.hosts: ["ekl.test.com", "ekl1.test1.com"]
discovery.zen.minimum_master_nodes: 1
xpack.security.enabled: false
searchguard.ssl.transport.pemcert_filepath: '/etc/elasticsearch/ssl/node2.pem'
searchguard.ssl.transport.pemkey_filepath: 'ssl/node2.key'
searchguard.ssl.transport.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: '/etc/elasticsearch/ssl/node2_http.pem'
searchguard.ssl.http.pemkey_filepath: '/etc/elasticsearch/ssl/node2_http.key'
searchguard.ssl.http.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.nodes_dn:
- CN=ekl.test.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
- CN=ekl1.test1.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
searchguard.authcz.admin_dn:
- CN=admin.test.com,OU=Ops,O=BugBear Com\, Inc.,DC=example,DC=com
Certificates are self-signed
从节点我可以通过ping和
主机名远程登录到端口9200/9300curl -kvX GET“ https://admin:pass@ekl.test.com:9200”工作正常。 节点上的错误:
[ekl1.test1.com]在ping期间发现的主节点不足(找到[],但需要1),再次ping
两个服务器名称都是正确的
我怀疑问题出在自签名证书中,我将其导入了受信任的根CA锚,但仍然存在错误。
如果我指定IP而不是主机名,则会得到:
在http中发现非法参数或传输请求。 这意味着一个节点正在尝试通过 非节点证书(未配置OID或searchguard.nodes_dn错误)或某人 欺骗请求。
ES Config路径为/ etc / elasticsearch [2019-03-28T21:25:56,450]由于Java,[INFO] [cfssDefaultSearchGuardKeyStore]> [ekl1.test1.com] OpenSSL不可用(这不是错误,我们只是>回退到内置JDK SSL) .lang.ClassNotFoundException:> io.netty.internal.tcnative.SSL
答案 0 :(得分:0)
发现它:必须添加到非主用户中:
transport.tcp.port: 9300
discovery.zen.ping.unicast.hosts: ["ekl.test.com:9300"]
transport.host: ekl1.test1.com