[英]"unable to verify the first certificate" when connecting to elasticsearch from nodejs using self-generated certificates
How do I connect to my elasticsearch cluster (TLS secured) when there are certificates generated by myself with the elasticsearch-certutil
?当我自己使用 elasticsearch
elasticsearch-certutil
生成证书时,如何连接到我的 elasticsearch 集群(TLS 保护)?
According to the ES documentation this code snippet should do it: 根据 ES 文档,这个代码片段应该这样做:
const client = new Client({
node: config.elastic.node,
auth: {
username: "elastic",
password: config.elastic.password
},
tls: {
ca: fs.readFileSync( "./share/es/certs/ca.crt" ),
rejectUnauthorized: false
}
})
Unfortunately, this gives me this famous error:不幸的是,这给了我这个著名的错误:
ConnectionError: unable to verify the first certificate
I've setup ES via docker-compose.我已经通过 docker-compose 设置了 ES。 To wrap up, I did the following:
最后,我做了以下事情:
Generating the certs using the elasticsearch-certutil
using cert
command via: bin/elasticsearch-certutil cert --silent --pem --in config/instances.yml -out /certs/bundle.zip
.通过以下方式使用 elasticsearch
elasticsearch-certutil
使用cert
命令生成证书: bin/elasticsearch-certutil cert --silent --pem --in config/instances.yml -out /certs/bundle.zip
。 instances.yml
contains all of my nodes as well as kibana. instances.yml
包含我的所有节点以及 kibana。 bundle.zip
contains all certs and keys as well as the certificate for CA. bundle.zip
包含所有证书和密钥以及 CA 证书。
Configuring my nodes in docker-compose.yml
so that they can read the generated certificates.在
docker-compose.yml
中配置我的节点,以便它们可以读取生成的证书。 For instance,例如,
... - xpack.security.http.ssl.key=${ES_CERTS_DIR}/es01/es01.key - xpack.security.http.ssl.certificate_authorities=${ES_CERTS_DIR}/ca/ca.crt - xpack.security.http.ssl.certificate=${ES_CERTS_DIR}/es01/es01.crt - xpack.security.transport.ssl.certificate_authorities=${ES_CERTS_DIR}/ca/ca.crt - xpack.security.transport.ssl.certificate=${ES_CERTS_DIR}/es01/es01.crt - xpack.security.transport.ssl.key=${ES_CERTS_DIR}/es01/es01.key...
Validating the connection with curl with this command使用此命令验证与 curl 的连接
$ curl -X GET "https://elastic:$ES_PASSWORD@my-cluster-doomain.com:9201" -H "Content-type: application/json" --cacert $CACERT --key $KEY --cert $CERT
where $CACERT
, $KEY
, $CERT
are pointing to the CA cert, the key and certificate for the node that I am connecting to.其中
$CACERT
、 $KEY
、 $CERT
指向 CA 证书,即我要连接的节点的密钥和证书。 This results in:这导致:
{ "name": "es01", "cluster_name": "es-docker-cluster", ... "tagline": "You Know, for Search" }
which is fine I suppose.我想这很好。
But why can't I connect to my cluster from my expressjs application?但是为什么我不能从我的 expressjs 应用程序连接到我的集群? I read something about creating a the certificate chain and letting ES know that.
我读了一些关于创建证书链并让 ES 知道的内容。 But, I this necessary?
但是,我这有必要吗? I mean, I can connect via
curl
and also using elasticdump
.我的意思是,我可以通过
curl
和使用elasticdump
进行连接。 What gives my an error is when I access the cluster via browser https://my-cluster-domain.com:9201 .当我通过浏览器访问集群时出现错误https://my-cluster-domain.com:9201 。 The browser warns me that, although the certificate is valid, the connection is not secure.
浏览器警告我,虽然证书有效,但连接不安全。
Any ideas?有任何想法吗? Thank you.
谢谢你。
Well, after a lot of googling it turned out that adding the CA file to the ES client config is not enough, as indicated in my example configuration above.好吧,经过大量谷歌搜索,结果发现将 CA 文件添加到 ES 客户端配置是不够的,如我上面的示例配置所示。
...
tls: {
ca: fs.readFileSync( "./share/es/certs/ca.crt" ),
rejectUnauthorized: false # don't do this in production
}
Instead, one has to announce the CA certificate to the Node process itself, before configuring your connecting to ES.相反,在配置连接到 ES 之前,必须向 Node 进程本身宣布 CA 证书。 You can do this, as described in this and in this post (solution 2a , with the
NODE_EXTRA_CA_CERTS
environment variable . I now start my process like this and it worked out:您可以这样做,如本文和本文中所述(解决方案 2a ,使用
NODE_EXTRA_CA_CERTS
环境变量。我现在开始我的过程,结果如下:
$ NODE_EXTRA_CA_CERTS="./share/es/certs/ca.crt" NODE_ENV=prod ...
One last remark, you don't have to set rejectUnauthorized: false
, as some workarounds do , in case you have the current version of the elasticsearch client.最后一点,您不必像某些解决方法那样设置
rejectUnauthorized: false
,以防您拥有当前版本的 elasticsearch 客户端。
My final configuration looks like this:我的最终配置如下所示:
const client = new Client({
node: config.elastic.node,
auth: {
username: "elastic",
password: config.elastic.password
}
})
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.