changed 3 years ago
Linked with GitHub

ELK 茶包 - 無法連線至ES

設定完TLS 發現只能本機用IP連,使用127.0.0.1及localhost無法連線
其他主機也都無法連線

curl https://localhost:9200 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:9200

在 elasticsearch_audit 發現

{"type":"audit", "timestamp":"2022-01-20T12:57:57,621+0800", "node.id":"tUCQb6ADSLaZHr4VU8w7WA", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"127.0.0.1", "transport.profile":".http", "rule":"deny _all"}

原來是之前設定到,但沒啟用security所以沒生效

curl "https://IP:9200/_cluster/settings?pretty" { "persistent" : { "cluster" : { "max_shards_per_node" : "2000" }, "xpack" : { "monitoring" : { "collection" : { "enabled" : "true" } }, "security" : { "http" : { "filter" : { "allow" : "IP", "deny" : "_all", "enabled" : "true" } }, "transport" : { "filter" : { "allow" : "IP", "deny" : "_all", "enabled" : "false" } } } } }, "transient" : { } }

把它disable就沒事了!!

curl -X PUT "https://IP:9200/_cluster/settings" -H 'Content-Type: application/json' -d' { "persistent": { "xpack.security.http.filter.enabled": false } } '

ELK 茶包 - client 憑證無法建立連線

http 開啟TLS,使用 PKI 驗證 client 憑證

xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.crt xpack.security.http.ssl.verification_mode: certificate xpack.security.http.ssl.client_authentication: optional xpack.security.authc.realms.pki.realm1.order: 1

發現一直出現錯誤訊息,CA憑證是信任的但是還是建立連線失敗?
太詭異了!

[2022-01-21T16:51:33,810][WARN ][o.e.c.s.DiagnosticTrustManager] [ES01] failed to establish trust with client at [<unknown host>]; the client provided a certificate with subject name [CN=ES01,DC=TW] and fingerprint [d33df0ef4c412115585e3f90dfdbccc696044232]; the certificate is issued by [CN=ROOT CA,DC=TW]; the certificate is signed by (subject [CN=ROOT CA,DC=TW] fingerprint [2b2f8bc39a8a84d640b3cf6cdbe659316ffe1e97] {trusted issuer}) which is self-issued; the [CN=ROOT CA,DC=TW] certificate is trusted in this ssl context ([xpack.security.http.ssl])

錯誤訊息往下看

Extended key usage does not permit use for TLS client authentication

原來使用certgen產生的憑證,extKeyUsage 都會包含 clientAuth 與 serverAuth
而我剛剛好是用公司的CA產出,少了clientAuth,難怪驗不過去!!
參考

  keyUsage :
    digitalSignature,keyEncipherment
  1.3.6.1.4.1.311.21.7 :
  extKeyUsage :
    serverAuth
  1.3.6.1.4.1.311.21.10 :
Select a repo