ELK 茶包 - 無法連線至ES

設定完TLS 發現只能本機用IP連,使用127.0.0.1及localhost無法連線
其他主機也都無法連線



curl https://localhost:9200
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:9200

在 elasticsearch_audit 發現


{"type":"audit", "timestamp":"2022-01-20T12:57:57,621+0800", "node.id":"tUCQb6ADSLaZHr4VU8w7WA", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"127.0.0.1", "transport.profile":".http", "rule":"deny _all"}

原來是之前設定到，但沒啟用security所以沒生效

































curl "https://IP:9200/_cluster/settings?pretty"
{
  "persistent" : {
    "cluster" : {
      "max_shards_per_node" : "2000"
    },
    "xpack" : {
      "monitoring" : {
        "collection" : {
          "enabled" : "true"
        }
      },
      "security" : {
        "http" : {
          "filter" : {
            "allow" : "IP",
            "deny" : "_all",
            "enabled" : "true"
          }
        },
        "transport" : {
          "filter" : {
            "allow" : "IP",
            "deny" : "_all",
            "enabled" : "false"
          }
        }
      }
    }
  },
  "transient" : { }
}

把它disable就沒事了!!







curl -X PUT "https://IP:9200/_cluster/settings"  -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "xpack.security.http.filter.enabled": false
  }
}
'

ELK 茶包 - client 憑證無法建立連線

http 開啟TLS，使用 PKI 驗證 client 憑證




xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.crt
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.client_authentication: optional
xpack.security.authc.realms.pki.realm1.order: 1

發現一直出現錯誤訊息，CA憑證是信任的但是還是建立連線失敗?
太詭異了!

[2022-01-21T16:51:33,810][WARN ][o.e.c.s.DiagnosticTrustManager] [ES01] failed to establish trust with client at [<unknown host>]; the client provided a certificate with subject name [CN=ES01,DC=TW] and fingerprint [d33df0ef4c412115585e3f90dfdbccc696044232]; the certificate is issued by [CN=ROOT CA,DC=TW]; the certificate is signed by (subject [CN=ROOT CA,DC=TW] fingerprint [2b2f8bc39a8a84d640b3cf6cdbe659316ffe1e97] {trusted issuer}) which is self-issued; the [CN=ROOT CA,DC=TW] certificate is trusted in this ssl context ([xpack.security.http.ssl])

錯誤訊息往下看

Extended key usage does not permit use for TLS client authentication

原來使用certgen產生的憑證，extKeyUsage 都會包含 clientAuth 與 serverAuth
而我剛剛好是用公司的CA產出，少了clientAuth，難怪驗不過去!!
參考

  keyUsage :
    digitalSignature,keyEncipherment
  1.3.6.1.4.1.311.21.7 :
  extKeyUsage :
    serverAuth
  1.3.6.1.4.1.311.21.10 :

Syntax	Example	Reference
# Header	Header	基本排版
- Unordered List	Unordered List
1. Ordered List	Ordered List
- [ ] Todo List	Todo List
> Blockquote	Blockquote
Bold font	Bold font
Italics font	Italics font
~~Strikethrough~~	~~Strikethrough~~
19^th^	19^th
H~2~O	H₂O
++Inserted text++	Inserted text
==Marked text==	Marked text
[link text](https:// "title")	Link
![image alt](https:// "title")	Image
`Code`	`Code`	在筆記中貼入程式碼
```javascript var i = 0; ```	`var i = 0;`	在筆記中貼入程式碼
:smile:		Emoji list
{%youtube youtube_id %}	Externals
$L^aT_eX$	L^aT_eX
:::info This is a alert area. :::	This is a alert area.