我安装了 ElasticSearch v6.2.4。它运行得很好,但最近出于安全原因,我安装了搜尋警勵插件为 ElasticSearch 集群提供 TLS 和身份验证功能。
目前我只有 1 个节点,其中安装了 SearchGuard 的演示证书。
Search Guard 到目前为止运行良好,除了当我必须使用弹性它显示一些证书不存在错误。
为了在 ES 中上传数据,excelastic 有一个配置文件,它会在执行前读取该文件。它包含有关身份验证的用户名和密码的信息。
这个:-
{
"web_port": 7777,
"elastic_port": 9200,
"elastic_host": "localhost",
"elastic_tls": true,
"authentication": true,
"basic": "admin:admin"
}
以下是 ElasticSearch 日志详细信息:-
[2019-04-04T10:14:30,602][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [OCMpWyk] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_74]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]
at java.lang.Thread.run(Unknown Source) [?:1.8.0_74]
Excelastic 日志详细信息如下:-
Apr 04, 2019 10:14:30 AM io.vertx.core.http.impl.HttpClientRequestImpl
> SEVERE: javax.net.ssl.SSLHandshakeException: Failed to create SSL connection
> Apr 04, 2019 10:14:30 AM io.netty.channel.DefaultChannelPipeline onUnhandledInbo
> undException
> WARNING: An exceptionCaught() event was fired, and it reached at the tail of the
> pipeline. It usually means the last handler in the pipeline did not handle the
> exception.
> io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Ge
> neral SSLEngine problem
> at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageD
> ecoder.java:459)
> at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessage
> Decoder.java:265)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
> ractChannelHandlerContext.java:362)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
> ractChannelHandlerContext.java:348)
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(Abstra
> ctChannelHandlerContext.java:340)
> at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(Defau
> ltChannelPipeline.java:1359)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
> ractChannelHandlerContext.java:362)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
> ractChannelHandlerContext.java:348)
> at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChanne
> lPipeline.java:935)
> at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(Abstra
> ctNioByteChannel.java:141)
> at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.jav
> a:645)
> at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEve
> ntLoop.java:580)
> at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.ja
> va:497)
> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
> at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThread
> EventExecutor.java:886)
> at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalR
> unnable.java:30)
> at java.lang.Thread.run(Unknown Source)
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
> at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
> at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.jav
> a:292)
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1248)
> at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1
> 159)
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1194)
> at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProte
> ction(ByteToMessageDecoder.java:489)
> at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageD
> ecoder.java:428)
> ... 16 more
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Alerts.getSSLException(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
> at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
> at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
> at sun.security.ssl.Handshaker.processLoop(Unknown Source)
> at sun.security.ssl.Handshaker$1.run(Unknown Source)
> at sun.security.ssl.Handshaker$1.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
> at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:140
> 8)
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1316)
> ... 20 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
> d certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> at sun.security.validator.Validator.validate(Unknown Source)
> at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Sour
> ce)
> ... 29 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Sourc
> e)
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
> Source)
> at java.security.cert.CertPathBuilder.build(Unknown Source)
> ... 35 more
有人可以建议一些选择吗?
答案1
因此我发现,我使用 Search Guard 插件在 ElasticSearch 中用于 TLS 的证书不存在于我的 JVM 信任库中。因此,当我执行 excelastic jar 文件时,它会显示此错误。
Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
d certification path to requested target
解决此问题:
首先,我使用 Windows 中的 keytool 命令行工具创建了一个信任库。
$keytool -importcert -keystore mytruststore.jks -alias excelastictry -file servercert.pem
然后我在运行时执行 excelastic.jar 文件时提供了 trustStore 路径,如下所示
$java -Djavax.net.ssl.trustStore="path/to/mytruststore.jks" -jar excelastic-1.2.7.jar
最后,excelastic web 门户能够识别 ES 版本并上传数据。