我有一个 3 节点 ELK 堆栈 (Elasticsearch v7.17)。重启后,Kibana Web 界面报告错误“Kibana 服务器尚未就绪”。
SSL 证书已过期,因此我重新创建了它们(对于 ELK CA、所有 3 个节点、Kibana 和 Logstash)。但是错误依然存在,并/var/log/kibana/kibana.log报错
{"type":"log","@timestamp":"2023-03-29T17:19:39+02:00","tags":["error","elasticsearch-service"],"pid":8271,"message":"Unable to retrieve version information from Elasticsearch nodes. security_exception: [security_exception] Reason: unable to authenticate user [kibana] for REST request [/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip]"}
该命令/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive -v产生以下输出:
Running with configuration path: /etc/elasticsearch
Testing if bootstrap password is valid for http://10.0.0.1:9200/_security/_authenticate?pretty
{
"username" : "elastic",
"roles" : [
"superuser"
],
"full_name" : null,
"email" : null,
"metadata" : {
"_reserved" : true
},
"enabled" : true,
"authentication_realm" : {
"name" : "reserved",
"type" : "reserved"
},
"lookup_realm" : {
"name" : "reserved",
"type" : "reserved"
},
"authentication_type" : "realm"
}
Checking cluster health: http://10.0.0.1:9200/_cluster/health?pretty
{
"error" : {
"root_cause" : [
{
"type" : "master_not_discovered_exception",
"reason" : null
}
],
"type" : "master_not_discovered_exception",
"reason" : null
},
"status" : 503
}
Failed to determine the health of the cluster running at http://10.0.0.1:9200
Unexpected response code [503] from calling GET http://10.0.0.1:9200/_cluster/health?pretty
Cause: master_not_discovered_exception
Elasticsearch 日志说:
[2023-03-30T13:50:58,432][WARN ][o.e.d.PeerFinder ] [node1] address [10.0.0.2:9300], node [null], requesting [false] connection failed: [][10.0.0.2:9300] general node connection failure: handshake failed because connection reset
[2023-03-30T13:50:58,432][WARN ][o.e.t.TcpTransport ] [node1] exception caught on transport layer [Netty4TcpChannel{localAddress=/10.0.0.1:60126, remoteAddress=node2.example.org/10.0.0.2:9300, profile=default}], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
没有更改密码。问题似乎出在新的 SSL 证书上。因此,我通过命令创建了一个新的密钥库
/usr/share/elasticsearch/bin/elasticsearch-keystore create
我正在尝试向其中添加 CA 证书(然后是其他证书):
keytool -importcert -trustcacerts -noprompt -keystore /etc/elasticsearch/elasticsearch.keystore -file /etc/elasticsearch/certs/ca.crt
但是,我收到以下错误:
keytool error: java.io.IOException: Invalid keystore format
我已将 CA 证书转换为 PKCS12 并尝试以这种格式 ( ca.p12) 导入它,因为密钥库在我的配置中定义为 PKCS12 类型,但我收到相同的错误。
怎么了?
文件摘录/etc/elasticsearch/elasticsearch.yml:
xpack.security.transport.ssl.keystore.path: elasticsearch.keystore
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.truststore.path: elasticsearch.keystore
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
答案1
您的 Elasticsearch 集群未正确设置 ( master_not_discovered_exception),因此 Kibana 将无法使用它。因此,Kibana 无法完成启动。
Elasticsearch 日志片段显示(为了\清晰起见,分成多行):
io.netty.handler.codec.DecoderException: \
javax.net.ssl.SSLHandshakeException: \
PKIX path validation failed: \
java.security.cert.CertPathValidatorException: \
Path does not chain with any of the trust anchors
因此,该软件似乎无法在当前受信任的根 CA 证书和它应该使用的服务器证书之间找到证书路径。您是否错过了根 CA 和服务器证书之间的中间 CA 证书?
keytool error: java.io.IOException: Invalid keystore format
该keytool命令用于操作Java的通用密钥库文件(PKCS12和JKS格式),但Elasticsearch似乎使用自己的密钥库格式,该格式还可以包含任意Elasticsearch设置和JSON格式的身份验证密钥文件。应该有一个专门的elasticsearch-keystore工具:
https://www.elastic.co/guide/en/elasticsearch/reference/current/elasticsearch-keystore.html