我有以下 ElasticSearch 配置,其中 ES 配置为信任根 CA 和颁发 CA。(LDAP1 领域包含相关信息。)
xpack:
security:
enabled: true
transport:
ssl:
enabled: true
verification_mode: certificate
keystore:
path: /etc/elasticsearch/security/elastic-certificates.p12
truststore:
path: /etc/elasticsearch/security/elastic-certificates.p12
http:
ssl:
enabled: true
verification_mode: certificate
certificate_authorities: ["/etc/elasticsearch/security/rootCA.pem", "/etc/elasticsearch/security/issuingCA.pem"]
certificate: "/etc/elasticsearch/security/elstcweb1.company.com.cer"
key: "/etc/elasticsearch/security/elstcweb1.company.com.key"
authc:
realms:
native:
type: native
order: 0
ldap1:
type: ldap
order: 1
url: "ldaps://ldapserver.company.com:636"
bind_dn: "user"
user_search:
base_dn: "redacted"
group_search:
base_dn: "redacted"
ssl:
certificate_authorities: ["/etc/elasticsearch/security/rootCA.cer", "/etc/elasticsearch/security/issuingCA.cer"]
但是,当我尝试登录服务时,我收到以下 LDAP 异常。
[es-prod-1] Authentication to realm ldap1 failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server ldapserver.company.com:636: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ldapserver.company.com:636' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(message='peer not authenticated', trace='getPeerCertificates(SSLSessionImpl.java:440)
我最初被告知,根证书和颁发 CA 证书是用于签署 LDAP 服务器证书的证书。然而,在使用进行故障排除时openssl verify,我收到了以下异常,这让我相信情况可能并非如此:
openssl verify -verbose -CAfile /etc/elasticsearch/security/[rootCA.cer,issuingCA.cer,combinedRootIssuingCA.cer] ldap.pem
ldap.pem: C = US, L = REDACTED, O = REDACTED, OU = DSS, CN = ldapserver.company.com, emailAddress = REDACTED
error 20 at 0 depth lookup:unable to get local issuer certificate
我通过以下方式获取了 LDAP 服务器的证书(ldap.pem在上面的例子中)openssl s_client:
openssl s_client -connect ldapserver.company.com:636 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldap.pem
鉴于上述情况,我认为 LDAP 服务器的证书未由根/颁发 CA 签名,这种评估是否正确?或者该s_client方法不是获取 LDAP 服务器 CA 的适当方法?
编辑:带有手动插入换行符的完整错误消息:
[2019-01-21T15:03:22,268][WARN ][o.e.x.s.a.AuthenticationService] [es-prod-1] Authentication to realm ldap1 failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server ldapserver.company.com:636: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ldapserver.company.com:636' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(message='peer not authenticated', trace='getPeerCertificates(SSLSessionImpl.java:440)
verifySSLSocket(HostNameSSLSocketVerifier.java:113)
<init>(LDAPConnectionInternals.java:166) connect(LDAPConnection.java:860)
connect(LDAPConnection.java:760)
connect(LDAPConnection.java:710)
<init>(LDAPConnection.java:534)
getConnection(SingleServerSet.java:229)
getConnection(ServerSet.java:98)
getConnection(FailoverServerSet.java:545)
createConnection(LDAPConnectionPool.java:1205)
createConnection(LDAPConnectionPool.java:1178)
getConnection(LDAPConnectionPool.java:1706)
doPrivileged(AccessController.java:native)
privilegedConnect(LdapUtils.java:75)
searchForEntry(LdapUtils.java:258)
searchForEntry(LdapUtils.java:210)
findUser(LdapUserSearchSessionFactory.java:225)
getSessionWithPool(LdapUserSearchSessionFactory.java:78)
session(PoolingSessionFactory.java:101)
lambda$doAuthenticate$1(LdapRealm.java:125)
doRun(LdapRealm.java:283)
doRun(ThreadContext.java:723)
run(AbstractRunnable.java:37)
runWorker(ThreadPoolExecutor.java:1149)
run(ThreadPoolExecutor.java:624)
run(Thread.java:748)', revision=24201)')'))
答案1
最终需要信任第三个 CA。该 CA 签署了其 LDAP 服务器的 VIP 证书。