Elasticsearch和Kibana不使用Letsencrypt证书
Elasticsearch和Kibana不使用Letsencrypt证书
提问于 2022-09-12 19:13:29
Kibana无法使用Letsencrypt签名证书连接Elasticsearch
我试图使用letsencrypt运行一个带有kibana的3节点elasticsearch集群。我从正式的elasticsearch文档这里中复制粘贴了标准的docker-compose.yml和环境文件,并且成功地使用了自签名证书,没有错误。当我尝试将自签名证书交换给让我们加密签名证书时,elasticsearch集群可以工作,但是kibana停止处理错误
kibana_1 | [2022-09-12T18:52:55.669+00:00][ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. unable to get issuer certificate使用与自签名证书相同的所有者/组和权限,所有的letsencrypt签名证书都正确地安装到容器中,例如
-rw-r----- 1 root root 991 Sep 12 14:03 bundle.zip
drwxr-x--- 2 root root 4096 Sep 12 13:38 ca
-rw-r----- 1 root root 2512 Sep 12 13:38 ca.zip
-rw-r----- 1 root root 1899 Sep 12 14:03 cert.pem
-rw-r----- 1 root root 7610 Sep 12 13:38 certs.zip
-rw-r----- 1 root root 3749 Sep 12 14:03 chain.pem
drwxr-x--- 2 root root 4096 Sep 12 13:38 es01
drwxr-x--- 2 root root 4096 Sep 12 13:38 es02
drwxr-x--- 2 root root 4096 Sep 12 13:38 es03
-rw-r----- 1 root root 5648 Sep 12 14:03 fullchain.pem
-rw-r----- 1 root root 272 Sep 12 13:38 instances.yml
-rw-r----- 1 root root 1826 Sep 12 14:03 intermediary.pem
-rw-r----- 1 root root 1704 Sep 12 14:03 privkey.pem
-rw-r----- 1 root root 1923 Sep 12 14:03 root.pem通过按照官方文档中的建议运行这些命令,我实现了这个目标。
sudo find certs/ -type f -exec chmod 640 "{}" \;
sudo find certs -type d -exec chmod 750 "{}" \;intermediary.pem和root.pem证书从fullchain.pem证书中分离出来,并按照另一个这样的问题中的建议作为CA证书包的一部分进行尝试。我在弹性搜索和kibana配置中都尝试过这些证书的许多不同组合,虽然有多个方法可以用于弹性搜索节点,但没有一个可以与kibana一起工作。
这是我最后一次尝试,使用privkey.pem作为键,fullchain.pem作为证书,chain.pem作为CA,这是elasticsearch中建议的这里。下面的文件省略了您将在正式文档中看到的“安装”容器。
docker-compose.yml
version: "2.2"
services:
es01:
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
volumes:
- esdata01:/usr/share/elasticsearch/data
- ./certs:/usr/share/elasticsearch/config/certs
ports:
- ${ES_PORT}:9200
environment:
- node.name=es01
- cluster.name=${CLUSTER_NAME}
- cluster.initial_master_nodes=es01,es02,es03
- discovery.seed_hosts=es02,es03
- ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/privkey.pem
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/fullchain.pem
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/chain.pem
- xpack.security.http.ssl.verification_mode=certificate
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/privkey.pem
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/fullchain.pem
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/chain.pem
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=${LICENSE}
mem_limit: ${MEM_LIMIT}
ulimits:
memlock:
soft: -1
hard: -1
healthcheck:
test:
[
"CMD-SHELL",
"curl -s --cacert /usr/share/elasticsearch/config/certs/chain.pem https://dev.mysite.com:9200 | grep -q 'missing authentication credentials'",
]
interval: 10s
timeout: 10s
retries: 120
es02:
depends_on:
- es01
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
volumes:
- esdata02:/usr/share/elasticsearch/data
- ./certs:/usr/share/elasticsearch/config/certs
environment:
- node.name=es02
- cluster.name=${CLUSTER_NAME}
- cluster.initial_master_nodes=es01,es02,es03
- discovery.seed_hosts=es01,es03
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/privkey.pem
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/fullchain.pem
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/chain.pem
- xpack.security.http.ssl.verification_mode=certificate
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/privkey.pem
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/fullchain.pem
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/chain.pem
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=${LICENSE}
mem_limit: ${MEM_LIMIT}
ulimits:
memlock:
soft: -1
hard: -1
healthcheck:
test:
[
"CMD-SHELL",
"curl -s --cacert /usr/share/elasticsearch/config/certs/chain.pem https://dev.mysite.com:9200 | grep -q 'missing authentication credentials'",
]
interval: 10s
timeout: 10s
retries: 120
es03:
depends_on:
- es02
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
volumes:
- esdata03:/usr/share/elasticsearch/data
- ./certs:/usr/share/elasticsearch/config/certs
environment:
- node.name=es03
- cluster.name=${CLUSTER_NAME}
- cluster.initial_master_nodes=es01,es02,es03
- discovery.seed_hosts=es01,es02
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/privkey.pem
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/fullchain.pem
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/chain.pem
- xpack.security.http.ssl.verification_mode=certificate
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/privkey.pem
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/fullchain.pem
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/chain.pem
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=${LICENSE}
mem_limit: ${MEM_LIMIT}
ulimits:
memlock:
soft: -1
hard: -1
healthcheck:
test:
[
"CMD-SHELL",
"curl -s --cacert /usr/share/elasticsearch/config/certs/chain.pem https://dev.mysite.com:9200 | grep -q 'missing authentication credentials'",
]
interval: 10s
timeout: 10s
retries: 120
kibana:
depends_on:
es01:
condition: service_healthy
es02:
condition: service_healthy
es03:
condition: service_healthy
image: docker.elastic.co/kibana/kibana:${STACK_VERSION}
volumes:
- kibanadata:/usr/share/kibana/data
- ./certs:/usr/share/kibana/config/certs
ports:
- ${KIBANA_PORT}:5601
environment:
- SERVER_HOST=0.0.0.0
- SERVERNAME=dev.mysite.com
- ELASTICSEARCH_HOSTS=https://dev.mysite.com:9200
- ELASTICSEARCH_USERNAME=kibana_system
- ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
- ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=/usr/share/kibana/config/certs/chain.pem
${MEM_LIMIT}
healthcheck:
test:
[
"CMD-SHELL",
"curl -s -I http://dev.mysite.com:5601 | grep -q 'HTTP/1.1 302 Found'",
]
interval: 10s
timeout: 10s
retries: 120
volumes:
esdata01:
driver: local
esdata02:
driver: local
esdata03:
driver: local
kibanadata:
driver: local.env
# Password for the 'elastic' user (at least 6 characters)
ELASTIC_PASSWORD=asdf1234
# Password for the 'kibana_system' user (at least 6 characters)
KIBANA_PASSWORD=asdf1234
# Version of Elastic products
STACK_VERSION=8.4.1
# Set the cluster name
CLUSTER_NAME=docker-cluster
# Set to 'basic' or 'trial' to automatically start the 30-day trial
LICENSE=basic
#LICENSE=trial
# Port to expose Elasticsearch HTTP API to the host
ES_PORT=9200
#ES_PORT=127.0.0.1:9200
# Port to expose Kibana to the host
KIBANA_PORT=5601
#KIBANA_PORT=80
# Increase or decrease based on the available host memory (in bytes)
MEM_LIMIT=1073741824
# Project namespace (defaults to the current folder name if not set)
#COMPOSE_PROJECT_NAME=myproject我已经证实elasticsearch正在工作,这既是由于容器输出中缺少错误,也是因为运行
curl -u elastic:asdf1234 https://dev.mysite.com:9200/_cluster/health这给了我输出
{"cluster_name":"docker-cluster","status":"green","timed_out":false,"number_of_nodes":3,"number_of_data_nodes":3,"active_primary_shards":11,"active_shards":22,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":0,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":100.0}回答 1
Stack Overflow用户
回答已采纳
发布于 2022-09-13 15:33:52
与Elasticsearch不同的是,在Kibana中,由于某种原因,您不能使用让some作为CA提供给您的任何证书。您必须找到letsencrypt本身的公共根CA证书,它是isrgrootx1.pem,可以从letscrypt.org/certs/isrgrootx1.pem下载。不幸的是,所有这些在任何地方的文档中都不清楚,经过几天毫无结果的搜索,我在另一个这样的问题中偶然发现了这一点!
一旦获得了证书,就可以将其绑定到容器中,然后更新配置如下所示
version: "2.2"
services:
es01:
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
volumes:
- esdata01:/usr/share/elasticsearch/data
- ./certs:/usr/share/elasticsearch/config/certs
ports:
- ${ES_PORT}:9200
environment:
- node.name=es01
- cluster.name=${CLUSTER_NAME}
- cluster.initial_master_nodes=es01,es02,es03
- discovery.seed_hosts=es02,es03
- ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/privkey.pem
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/fullchain.pem
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/chain.pem
- xpack.security.http.ssl.verification_mode=certificate
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/privkey.pem
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/fullchain.pem
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/chain.pem
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=${LICENSE}
mem_limit: ${MEM_LIMIT}
ulimits:
memlock:
soft: -1
hard: -1
healthcheck:
test:
[
"CMD-SHELL",
"curl -s --cacert /usr/share/elasticsearch/config/certs/chain.pem https://dev.mysite.com:9200 | grep -q 'missing authentication credentials'",
]
interval: 10s
timeout: 10s
retries: 120
es02:
depends_on:
- es01
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
volumes:
- esdata02:/usr/share/elasticsearch/data
- ./certs:/usr/share/elasticsearch/config/certs
environment:
- node.name=es02
- cluster.name=${CLUSTER_NAME}
- cluster.initial_master_nodes=es01,es02,es03
- discovery.seed_hosts=es01,es03
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/privkey.pem
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/fullchain.pem
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/chain.pem
- xpack.security.http.ssl.verification_mode=certificate
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/privkey.pem
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/fullchain.pem
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/chain.pem
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=${LICENSE}
mem_limit: ${MEM_LIMIT}
ulimits:
memlock:
soft: -1
hard: -1
healthcheck:
test:
[
"CMD-SHELL",
"curl -s --cacert /usr/share/elasticsearch/config/certs/chain.pem https://dev.mysite.com:9200 | grep -q 'missing authentication credentials'",
]
interval: 10s
timeout: 10s
retries: 120
es03:
depends_on:
- es02
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
volumes:
- esdata03:/usr/share/elasticsearch/data
- ./certs:/usr/share/elasticsearch/config/certs
environment:
- node.name=es03
- cluster.name=${CLUSTER_NAME}
- cluster.initial_master_nodes=es01,es02,es03
- discovery.seed_hosts=es01,es02
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/privkey.pem
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/fullchain.pem
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/chain.pem
- xpack.security.http.ssl.verification_mode=certificate
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/privkey.pem
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/fullchain.pem
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/chain.pem
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=${LICENSE}
mem_limit: ${MEM_LIMIT}
ulimits:
memlock:
soft: -1
hard: -1
healthcheck:
test:
[
"CMD-SHELL",
"curl -s --cacert /usr/share/elasticsearch/config/certs/chain.pem https://dev.mysite.com:9200 | grep -q 'missing authentication credentials'",
]
interval: 10s
timeout: 10s
retries: 120
kibana:
depends_on:
es01:
condition: service_healthy
es02:
condition: service_healthy
es03:
condition: service_healthy
image: docker.elastic.co/kibana/kibana:${STACK_VERSION}
volumes:
- kibanadata:/usr/share/kibana/data
- ./certs:/usr/share/kibana/config/certs
ports:
- ${KIBANA_PORT}:5601
environment:
- SERVER_HOST=0.0.0.0
- SERVERNAME=dev.mysite.com
- ELASTICSEARCH_HOSTS=https://dev.mysite.com:9200
- ELASTICSEARCH_USERNAME=kibana_system
- ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
- ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=/usr/share/kibana/config/certs/isrgrootx1.pem
- SERVER_SSL_ENABLED="true"
- SERVER_SSL_KEY=/usr/share/kibana/config/certs/privkey.pem
- SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/certs/fullchain.pem
- SERVER_SSL_CERTIFICATEAUTHORITIES=/usr/share/kibana/config/certs/chain.pem
${MEM_LIMIT}
healthcheck:
test:
[
"CMD-SHELL",
"curl -s -I http://dev.mysite.com:5601 | grep -q 'HTTP/1.1 302 Found'",
]
interval: 10s
timeout: 10s
retries: 120
volumes:
esdata01:
driver: local
esdata02:
driver: local
esdata03:
driver: local
kibanadata:
driver: local现在一切都应该很好!
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/73694227
复制相关文章
相似问题
腾讯云开发者
