ELK 茶包 - 無法連線至ES

ELK 茶包 - 無法連線至ES === 設定完TLS 發現只能本機用IP連,使用127.0.0.1及localhost無法連線其他主機也都無法連線 ```bash= curl https://localhost:9200 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:9200 ``` 在 elasticsearch_audit 發現 ```json= {"type":"audit", "timestamp":"2022-01-20T12:57:57,621+0800", "node.id":"tUCQb6ADSLaZHr4VU8w7WA", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"127.0.0.1", "transport.profile":".http", "rule":"deny _all"} ``` 原來是之前設定到，但沒啟用security所以沒生效 ```bash= curl "https://IP:9200/_cluster/settings?pretty" { "persistent" : { "cluster" : { "max_shards_per_node" : "2000" }, "xpack" : { "monitoring" : { "collection" : { "enabled" : "true" } }, "security" : { "http" : { "filter" : { "allow" : "IP", "deny" : "_all", "enabled" : "true" } }, "transport" : { "filter" : { "allow" : "IP", "deny" : "_all", "enabled" : "false" } } } } }, "transient" : { } } ``` 把它disable就沒事了!! ```bash= curl -X PUT "https://IP:9200/_cluster/settings" -H 'Content-Type: application/json' -d' { "persistent": { "xpack.security.http.filter.enabled": false } } ' ``` ELK 茶包 - client 憑證無法建立連線 === http 開啟TLS，使用 PKI 驗證 client 憑證 ```json= xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.crt xpack.security.http.ssl.verification_mode: certificate xpack.security.http.ssl.client_authentication: optional xpack.security.authc.realms.pki.realm1.order: 1 ``` 發現一直出現錯誤訊息，CA憑證是信任的但是還是建立連線失敗? 太詭異了! ``` [2022-01-21T16:51:33,810][WARN ][o.e.c.s.DiagnosticTrustManager] [ES01] failed to establish trust with client at [<unknown host>]; the client provided a certificate with subject name [CN=ES01,DC=TW] and fingerprint [d33df0ef4c412115585e3f90dfdbccc696044232]; the certificate is issued by [CN=ROOT CA,DC=TW]; the certificate is signed by (subject [CN=ROOT CA,DC=TW] fingerprint [2b2f8bc39a8a84d640b3cf6cdbe659316ffe1e97] {trusted issuer}) which is self-issued; the [CN=ROOT CA,DC=TW] certificate is trusted in this ssl context ([xpack.security.http.ssl]) ``` 錯誤訊息往下看 ``` Extended key usage does not permit use for TLS client authentication ``` 原來使用certgen產生的憑證，extKeyUsage 都會包含 clientAuth 與 serverAuth 而我剛剛好是用公司的CA產出，少了clientAuth，難怪驗不過去!! [參考](https://www.elastic.co/guide/en/x-pack/5.4/ssl-tls.html#installing-node-certificates) ``` keyUsage : digitalSignature,keyEncipherment 1.3.6.1.4.1.311.21.7 : extKeyUsage : serverAuth 1.3.6.1.4.1.311.21.10 : ```

Syntax	Example	Reference
# Header	Header	基本排版
- Unordered List	Unordered List
1. Ordered List	Ordered List
- [ ] Todo List	Todo List
> Blockquote	Blockquote
Bold font	Bold font
Italics font	Italics font
~~Strikethrough~~	~~Strikethrough~~
19^th^	19^th
H~2~O	H₂O
++Inserted text++	Inserted text
==Marked text==	Marked text
[link text](https:// "title")	Link
![image alt](https:// "title")	Image
`Code`	`Code`	在筆記中貼入程式碼
```javascript var i = 0; ```	`var i = 0;`
:smile:		Emoji list
{%youtube youtube_id %}	Externals
$L^aT_eX$	L^aT_eX
:::info This is a alert area. :::	This is a alert area.