为什么我的两台服务器之间 SSL 不起作用？

我有 2 台装有 Ubuntu 18.04 的服务器：

• surveillance.example.com (在单个服务器上使用 ELK)
• www.example.com（使用 Filebeat）

在服务器 ELK 上

创建用于存储 SSL 证书的目录

$ sudo mkdir -p /etc/elk-certs

生成 SSL 证书

$ sudo openssl req -subj '/CN=monitoring.example.com/' -x509 -days 3650 -batch -nodes -newkey rsa:4096 -keyout /etc/elk-certs/monitoring-example-com.key -out /etc/elk-certs/monitoring-example-com.crt

更改所有者

$ sudo chown logstash /etc/elk-certs/monitoring-example-com.crt
$ sudo chown logstash /etc/elk-certs/monitoring-example-com.key

将 SSL 证书发送到客户端服务器

$ sudo scp /etc/elk-certs/monitoring-example-com.crt [email protected]:/tmp

在服务器客户端上

创建用于存储 SSL 证书的目录

$ sudo mkdir -p /etc/elk-certs

将证书复制到目录中

$ sudo mv /tmp/monitoring-example-com.crt /etc/elk-certs/

在服务器 ELK 上

/etc/logstash/conf.d/logstash.conf这是服务器 surveillance.example.com 上的配置文件：

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/elk-certs/monitoring-example-com.crt"
    ssl_key => "/etc/elk-certs/monitoring-example-com.key"      
  }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}

重启 Logstash

$ sudo systemctl restart logstash

在服务器客户端上

/etc/filebeat/filebeat.yml这是服务器 www.example.com 上的配置文件：

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["monitoring.example.com:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/elk-certs/monitoring-example-com.crt"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/elk-certs/monitoring-example-com.crt"

  # Client Certificate Key
  #ssl.key: "/etc/elk-certs/monitoring-example-com.key"

重启 Filebeat

$ sudo systemctl restart filebeat

问题

$ curl -v --cacert /etc/elk-certs/monitoring-example-com.crt https://monitoring.example.com:5044

* Rebuilt URL to: https://monitoring.example.com:5044/
*   Trying 2001:43d9:363:1000::2b16...
* TCP_NODELAY set
*   Trying 51.95.207.228...
* TCP_NODELAY set
* Connected to monitoring.example.com (51.95.207.228) port 5044 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/elk-certs/monitoring-example-com.crt
  CApath: /etc/ssl/certs
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=monitoring.example.com
*  start date: May 11 22:26:42 2019 GMT
*  expire date: May  8 22:26:42 2029 GMT
*  subjectAltName does not match monitoring.example.com
* SSL: no alternative certificate subject name matches target host name 'monitoring.example.com'
* stopped the pause stream!
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (51) SSL: no alternative certificate subject name matches target host name 'monitoring.example.com'

目前 Logstash 不会从 Filebeat 接收任何数据。