不能validation证书 – 不包含任何IP SAN

我目前正在安装ELK(ElastricSearch,LogStash&Kibana)堆栈。

我的ELK服务器IP地址是172.29.225.32

弹性searchconfiguration是::

 # ---------------------------------- Network ----------------------------------- # # Set the bind address to a specific IP (IPv4 or IPv6): # network.host: 172.29.225.32 # # Set a custom port for HTTP: # http.port: 9200 

然后我生成了我的SSLconfiguration。 我正在使用基于IP的连接:

 vim /etc/pki/tls/openssl.cnf ``` [ v3_ca ] subjectAltName = IP:172.29.225.32 ``` 

然后我产生了我的证书。

 openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout /etc/pki/tls/private/logstash-forwarder.key -out /etc/pki/tls/certs/logstash-forwarder.crt 

我正在使用节拍。 所以我的节拍configuration是::

 input { beats { port => 5044 ssl => true ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt" ssl_key => "/etc/pki/tls/private/logstash-forwarder.key" } } 

然后,我安装了节拍,并configuration它::

 vim /etc/filebeat/filebeat.yml ``` output: ### Elasticsearch as output elasticsearch: hosts: ["172.29.225.32:9200"] tls: certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"] logstash: hosts: ["172.29.225.32:5044"] ``` 

当我启动filebeat,我得到错误::

 # systemctl status filebeat ● filebeat.service - filebeat Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2017-06-09 13:45:35 GMT; 5s ago Docs: https://www.elastic.co/guide/en/beats/filebeat/current/index.html Main PID: 27273 (filebeat) CGroup: /system.slice/filebeat.service └─27273 /usr/bin/filebeat -c /etc/filebeat/filebeat.yml Jun 09 13:45:35 supportserver /usr/bin/filebeat[27273]: transport.go:125: SSL client failed to connect with: x509: cannot validate certificate for 172.29.225.32 because it doesn't contain any IP SANs Jun 09 13:45:35 supportserver /usr/bin/filebeat[27273]: transport.go:125: SSL client failed to connect with: x509: cannot validate certificate for 172.29.225.32 because it doesn't contain any IP SANs Jun 09 13:45:36 supportserver /usr/bin/filebeat[27273]: transport.go:125: SSL client failed to connect with: x509: cannot validate certificate for 172.29.225.32 because it doesn't contain any IP SANs Jun 09 13:45:38 supportserver /usr/bin/filebeat[27273]: transport.go:125: SSL client failed to connect with: x509: cannot validate certificate for 172.29.225.32 because it doesn't contain any IP SANs 

我在互联网的广阔空间search替代品以生成证书。 我最终做的是:

 curl -O https://raw.githubusercontent.com/driskell/log-courier/1.x/src/lc-tlscert/lc-tlscert.go go build lc-tlscert.go ./lc-tlscert Specify the Common Name for the certificate. The common name can be anything, but is usually set to the server's primary DNS name. Even if you plan to connect via IP address you should specify the DNS name here. Common name: The next step is to add any additional DNS names and IP addresses that clients may use to connect to the server. If you plan to connect to the server via IP address and not DNS then you must specify those IP addresses here. When you are finished, just press enter. DNS or IP address 1: 172.29.225.32 DNS or IP address 2: How long should the certificate be valid for? A year (365 days) is usual but requires the certificate to be regenerated within a year or the certificate will cease working. Number of days: 365 Common name: DNS SANs: None IP SANs: 172.29.225.32 The certificate can now be generated Press any key to begin generating the self-signed certificate. Successfully generated certificate Certificate: selfsigned.crt Private Key: selfsigned.key Copy and paste the following into your Log Courier configuration, adjusting paths as necessary: "transport": "tls", "ssl ca": "path/to/selfsigned.crt", Copy and paste the following into your LogStash configuration, adjusting paths as necessary: ssl_certificate => "path/to/selfsigned.crt", ssl_key => "path/to/selfsigned.key", 

我将这些证书复制到正确的path,仍然得到相同的错误。 有什么我错过了吗?

当我尝试使用openssl进行连接时,我得到:

 # openssl s_client -showcerts -connect 172.29.225.32:9200 CONNECTED(00000003) 139677497968544:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 247 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- 

有任何想法吗 ?

如果我正在阅读你的configuration,path事件遵循的大致是:

 beats |-> elasticsearch 172.29.225.32:9200 |-> logstash 172.29.225.32:5044 |-> Points unknown. 

你的openssltesting是针对ElasticSearch完成的,据我所知,它还没有configuration过TLS。 不幸的是,filebeat生成的错误信息不够详细,无法分辨与Logstash交谈时与Elasticsearch交谈的问题(端口9200)。 为了testing,我会从你的filebeatconfiguration中删除一个或另一个,看看它是如何影响错误的; 这是为了隔离哪个组件正在生成TLS错误。

相信 filebeat默认为ElasticSearch的非TLS,除非你明确地告诉它使用TLS。

logstash输出也似乎默认为非TLS,但是你的configuration中的某些内容正在协商和失败,或者在不应该的时候奇怪地期待它。

在最近完成了一轮SANdebugging后,这里提供了一个有用的提示:

 openssl s_client -connect 172.29.225.32:5044 | openssl x509 -text -noout 

这会给你在证书上的SAN,其中s_client通常不会。