我目前正在安装 ELK(ElastricSearch、LogStash 和 Kibana)堆栈。
我的 ELK 服务器 IP 地址是172.29.225.32。
Elastic Search 配置是 ::
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 172.29.225.32
#
# Set a custom port for HTTP:
#
http.port: 9200
然后我生成了我的 SSL 配置。我使用基于 IP 的连接:
vim /etc/pki/tls/openssl.cnf
```
[ v3_ca ]
subjectAltName = IP:172.29.225.32
```
然后我生成了我的证书。
openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout /etc/pki/tls/private/logstash-forwarder.key -out /etc/pki/tls/certs/logstash-forwarder.crt
我正在使用 Beats。所以我的 Beats 配置是 ::
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
然后我安装了 beats 并对其进行了配置::
vim /etc/filebeat/filebeat.yml
```
output:
### Elasticsearch as output
elasticsearch:
hosts: ["172.29.225.32:9200"]
tls:
certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
logstash:
hosts: ["172.29.225.32:5044"]
```
当我启动 filebeat 时,出现错误::
# systemctl status filebeat
● filebeat.service - filebeat
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2017-06-09 13:45:35 GMT; 5s ago
Docs: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
Main PID: 27273 (filebeat)
CGroup: /system.slice/filebeat.service
└─27273 /usr/bin/filebeat -c /etc/filebeat/filebeat.yml
Jun 09 13:45:35 supportserver /usr/bin/filebeat[27273]: transport.go:125: SSL client failed to connect with: x509: cannot validate certificate for 172.29.225.32 because it doesn't contain any IP SANs
Jun 09 13:45:35 supportserver /usr/bin/filebeat[27273]: transport.go:125: SSL client failed to connect with: x509: cannot validate certificate for 172.29.225.32 because it doesn't contain any IP SANs
Jun 09 13:45:36 supportserver /usr/bin/filebeat[27273]: transport.go:125: SSL client failed to connect with: x509: cannot validate certificate for 172.29.225.32 because it doesn't contain any IP SANs
Jun 09 13:45:38 supportserver /usr/bin/filebeat[27273]: transport.go:125: SSL client failed to connect with: x509: cannot validate certificate for 172.29.225.32 because it doesn't contain any IP SANs
我在互联网的广阔空间中搜索生成证书的替代方法。我最终做的是:
curl -O https://raw.githubusercontent.com/driskell/log-courier/1.x/src/lc-tlscert/lc-tlscert.go
go build lc-tlscert.go
./lc-tlscert
Specify the Common Name for the certificate. The common name
can be anything, but is usually set to the server's primary
DNS name. Even if you plan to connect via IP address you
should specify the DNS name here.
Common name:
The next step is to add any additional DNS names and IP
addresses that clients may use to connect to the server. If
you plan to connect to the server via IP address and not DNS
then you must specify those IP addresses here.
When you are finished, just press enter.
DNS or IP address 1: 172.29.225.32
DNS or IP address 2:
How long should the certificate be valid for? A year (365
days) is usual but requires the certificate to be regenerated
within a year or the certificate will cease working.
Number of days: 365
Common name:
DNS SANs:
None
IP SANs:
172.29.225.32
The certificate can now be generated
Press any key to begin generating the self-signed certificate.
Successfully generated certificate
Certificate: selfsigned.crt
Private Key: selfsigned.key
Copy and paste the following into your Log Courier
configuration, adjusting paths as necessary:
"transport": "tls",
"ssl ca": "path/to/selfsigned.crt",
Copy and paste the following into your LogStash configuration,
adjusting paths as necessary:
ssl_certificate => "path/to/selfsigned.crt",
ssl_key => "path/to/selfsigned.key",
我将这些证书复制到了正确的路径,但仍然出现相同的错误。我是不是漏掉了什么?
当我尝试使用连接时,openssl我得到:
# openssl s_client -showcerts -connect 172.29.225.32:9200
CONNECTED(00000003)
139677497968544:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
有任何想法吗 ?
答案1
如果我正确读取了您的配置,则事件遵循的路径大致如下:
beats
|-> elasticsearch 172.29.225.32:9200
|-> logstash 172.29.225.32:5044
|-> Points unknown.
您的 openssl 测试是针对 ElasticSearch 进行的,据我所知,它从未配置过 TLS。不幸的是,filebeat 生成的错误消息不够详细,无法区分与 Logstash 通信的问题和与 Elasticsearch(端口 9200)通信的问题。为了进行测试,我会从您的 filebeat 配置中删除其中一个,看看这会对错误产生什么影响;这是为了隔离哪个组件正在生成 TLS 错误。
我相信除非您明确告诉它使用 TLS,否则 filebeat 默认对 ElasticSearch 使用非 TLS。
filebeat 的输出logstash似乎也默认为非 TLS,但是您的配置中的某些内容要么正在协商它并失败,要么奇怪地在本不应该的时候期待它。
最近完成了一轮 SAN 调试后,这里有一个从证书中获取 SAN 的有用技巧:
openssl s_client -connect 172.29.225.32:5044 | openssl x509 -text -noout
这将为您提供证书上的 SAN,而 s_client 通常不会提供。