Question

我正在尝试连接到ssh隧道后面的elasticsearch实例。 Elasticsearch实例的域为*.ap-south-1.es.amazonaws.com，而在本地隧道上，我通过localhost:9201连接。

这是我用来连接Elasticsearch的代码

RestHighLevelClient(RestClient.builder(HttpHost("localhost", 9201, "https")))

我遇到以下错误

javax.net.ssl.SSLPeerUnverifiedException: Host name 'localhost' does not match the certificate subject provided by the peer (CN=*.ap-south-1.es.amazonaws.com)

使用PHP-Elasticsearch时出现此错误，并使用

进行了修复

$esClient->setSSLVerification(false);

我希望为Java RestClient找到类似的方法。

Answer 1

由于证书中的主机名不是localhost，因此会出现此问题，因此要解决此问题，需要禁用SSL主机名验证，通过执行以下操作，您将始终返回true，并且将跳过验证。

RestClientBuilder restClientBuilder =  RestClient.builder(HttpHost);
restClientBuilder.setHttpClientConfigCallback(httpAsyncClientBuilder ->
   httpAsyncClientBuilder.setSSLHostnameVerifier((s, sslSession) -> true));
new RestHighLevelClient(restClientBuilder);

Answer 2

为此，您必须禁用一个设置，该设置将使用您提供的名称验证主机名。这是apache中HTTPClient的错误，您必须像在setSSLHostnameVerifier方法中验证的那样虚拟化主机名

val builder = RestClient.builder(host).setHttpClientConfigCallback { httpAsyncClientBuilder ->
            httpAsyncClientBuilder.setSSLHostnameVerifier { _, _ -> true }
        }

这将始终覆盖您用于验证主机名为真的设置

Answer 3

我希望这能给出一个完整的答案。

希望对你有帮助，我遇到了同样的问题，我就是这样解决的。

    @Bean
        public RestHighLevelClient createSimpleElasticClient() throws Exception {
            try {
                SSLContextBuilder sslBuilder = SSLContexts.custom()
                        .loadTrustMaterial(null, (x509Certificates, s) -> true);
                        final SSLContext sslContext = sslBuilder.build();
                RestHighLevelClient client = new RestHighLevelClient(RestClient
                        .builder(new HttpHost(hostNameOrLoadbalancerURL, 443, "https")) 
//port number is given as 443 since its https schema
                        .setHttpClientConfigCallback(new HttpClientConfigCallback() {
                            @Override
                            public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
                                return httpClientBuilder
                                         .setSSLContext(sslContext)
                                         .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
                            }
                        })
                        .setRequestConfigCallback(new RestClientBuilder.RequestConfigCallback() {
                            @Override
                            public RequestConfig.Builder customizeRequestConfig(
                                    RequestConfig.Builder requestConfigBuilder) {
                                return requestConfigBuilder.setConnectTimeout(5000)
                                        .setSocketTimeout(120000);
                            }
                        }));
                System.out.println("elasticsearch client created");
                return client;
            } catch (Exception e) {
                System.out.println(e);
                throw new Exception("Could not create an elasticsearch client!!");
            }
        }

如何在Java中为Elasticsearch RestClient v6.7.0禁用SSL验证

3 个答案: