Kibana不与弹性盾牌SSL连接 [英] Kibana is not connecting with elasticsearch shield SSL

问题描述

  Elasticsearch版本：2.2.1 
 Kibana版本：4.4.1 
屏蔽版本：最新版本
  

我们生成自签名crt，键，pem文件如下：

  openssl req -out CSR.csr -new -newkey rsa：2048 -nodes -keyout privateKey .key 
 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa：2048 -keyout privateKey.key -out certificate.crt 
 openssl req -out CSR.csr -key privateKey.key -new 
 openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key 
 openssl x509 -in certificate.crt -out certificate.pem 
 keytool -importcert -keystore node01。 jks -file certificate.pem -alias my_ca 
 keytool -certreq -alias node01 -keystore node01.jks -file CSR.csr -keyalg rsa -ext san = dns：XXX.com，ip：XXXX.xxxx.xxx 
 keytool -importcert -keystore node01.jks -file Certificate-signed.crt -alias node01 
 openssl x509 -in Certifi cate-signed.crt -out node01-signed-noheaders.crt 
  

并添加到屏蔽配置中。 / p>

盾牌配置：

  shield.http.ssl：true 
 shield.transport.ssl：true 
 shield.ssl.keystore.key_password：XXXXX 
 shield.ssl.keystore.password：XXXX 
 shield.ssl.keystore.path：/ es / config / shield / node01.jks 
 network.host：XX.XX.XX.XX 
  

Kibana配置：

  elasticsearch.url：https：// XXXXX：9200
 elasticsearch.username：用户名
 elasticsearch.password：password
 elasticsearch.ssl.cert：/XXX/XXX/XXX/elasticsearchtls.crt 
 elasticsearch.ssl.key：/ XXX / XXX / XXX /弹性搜索：$ $ $ $ $所以当运行kibana时，弹性搜索日志中会显示以下错误：
 日志[12：24：25.512] [错误] [e lasticsearch]请求错误，重试 - 自签名证书
 log [12：24：25.622] [warning] [elasticsearch]无法恢复连接：https：// XXXX：9200 / 
 log [12： 24：25.624] [警告] [弹性搜索]没有生活连接
 log [12：24：25.627] [error] [status] [plugin：elasticsearch]状态从黄色更改为红色 - 无法连接到Elasticsearch https ：// XXXXXX：9200。 
  
之后，当我更改 elasticsearch.ssl.verify：false  Kibana工作正常，但在弹性搜索日志中显示一些错误：
  ElasticsearchSecurityException [缺少REST请求的身份验证令牌[/ _mget？timeout = 0& ignore_unavailable = true& preferences = 1461307913497]] 
  
同样的问题即将到来。当我们使用rejectUnauthorized：true，那么客户端没有连接到弹性搜索。
 
 
 
我的问题是：
 
 
 
 
 
是在Elasticsearch，Kibana工作的自签名证书吗？
 
 
我们是否必须购买商业CA证书？
 
 
我们错过了什么吗？
 
 
 
 
解决方案
生成和导入密钥时，您正在使用不必要的步骤。此外，您生成的证书不是由CA签名，因此不会被信任。
 
 
 
除非您有大量部署，否则我将使用自签名证书，而不是由自己签名的CA签署的证书。
 
 
 
 1）生成具有SAN扩展名的自签名证书，如这里所示如何使用OpenSSL生成具有SubjectAltName的自签名证书？ 
 
 
 
 2）将密钥和证书合并到PKCS12容器中，并将其导入到一个java密钥库，如这里所述在Java密钥库中导入现有的x509证书和私钥以在ssl中使用 
 
We are try to set up the shield SSL in local machine.
Elasticsearch version : 2.2.1
Kibana version : 4.4.1
Shield version : Latest version
We generated self signed crt, key, pem file as below:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
openssl req -out CSR.csr -key privateKey.key -new
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
openssl x509 -in certificate.crt -out certificate.pem
keytool -importcert -keystore node01.jks -file certificate.pem -alias my_ca
keytool -certreq -alias node01 -keystore node01.jks -file CSR.csr -keyalg rsa -ext san=dns:XXX.com,ip:XXXX.xxxx.xxx
keytool -importcert -keystore node01.jks -file Certificate-signed.crt -alias node01
openssl x509 -in Certificate-signed.crt -out node01-signed-noheaders.crt
and added in shield configuration.

Shield configuration:
shield.http.ssl: true
shield.transport.ssl: true
shield.ssl.keystore.key_password: XXXXX
shield.ssl.keystore.password: XXXX
shield.ssl.keystore.path: /es/config/shield/node01.jks
network.host: XX.XX.XX.XX
Kibana configuration:
elasticsearch.url: "https://XXXXX:9200"
elasticsearch.username: "username"
elasticsearch.password: "password"
elasticsearch.ssl.cert: /XXX/XXX/XXX/elasticsearchtls.crt
elasticsearch.ssl.key: /XXX/XXX/XXX/elasticsearchtls.key
elasticsearch.ssl.ca: /XXX/XXX/XXX/elasticsearch.pem
elasticsearch.ssl.verify: true
So when run the kibana the below error is displayed in elasticsearch log:
log [12:24:25.512] [error][elasticsearch] Request error, retrying -- self signed certificate
log [12:24:25.622] [warning][elasticsearch] Unable to revive connection: https://XXXX:9200/
log [12:24:25.624] [warning][elasticsearch] No living connections
log [12:24:25.627] [error][status][plugin:elasticsearch] Status changed from yellow to red - Unable to connect to Elasticsearch at https://XXXXXX:9200.
After that when I change the elasticsearch.ssl.verify: false Kibana is working fine, but showing some error in elasticsearch log:
ElasticsearchSecurityException[missing authentication token for REST request [/_mget?timeout=0&ignore_unavailable=true&preference=1461307913497]]
In elastic client also the same issue is coming. When we use rejectUnauthorized: true then client is not connecting to elasticsearch.

My questions are:


is the self signed certificate working in Elasticsearch, Kibana or not?
do we have to buy a commercial CA certificate?
are we missing anything?

解决方案
You are using unnecessary steps when generating and importing the key. Also the certificate you are generating is not signed by the CA and hence it will never be trusted

Unless you have a large deployment I would just use a selfsigned certificate, rather than a certificate signed by a selfsigned CA.

1) Generate a selfsigned certificate with SAN extensions as indicated here How can I generate a self-signed certificate with SubjectAltName using OpenSSL? 

2) Merge the key and certificate in a PKCS12 container and import it to the a java keystore as explained here importing an existing x509 certificate and private key in Java keystore to use in ssl

                        
这篇关于Kibana不与弹性盾牌SSL连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！