我安裝了 ElasticSearch v6.2.4。它工作得很好,但最近由於安全原因我安裝了搜查衛士為 ElasticSearch 叢集提供 TLS 和身份驗證功能的插件。
目前我只有 1 個節點安裝了 SearchGuard 演示證書。
搜尋衛士現在工作得非常好,除了當我必須使用上傳資料時卓越的它顯示一些證書不存在錯誤。
為了在 ES 中上傳數據,excelastic 有一個配置文件,它在執行之前讀取該文件。它包含有關身份驗證的使用者名稱和密碼的資訊。
這個:-
{
"web_port": 7777,
"elastic_port": 9200,
"elastic_host": "localhost",
"elastic_tls": true,
"authentication": true,
"basic": "admin:admin"
}
以下是 ElasticSearch 日誌詳細資訊:-
[2019-04-04T10:14:30,602][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [OCMpWyk] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_74]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]
at java.lang.Thread.run(Unknown Source) [?:1.8.0_74]
Excelastic 日誌詳細資訊是:-
Apr 04, 2019 10:14:30 AM io.vertx.core.http.impl.HttpClientRequestImpl
> SEVERE: javax.net.ssl.SSLHandshakeException: Failed to create SSL connection
> Apr 04, 2019 10:14:30 AM io.netty.channel.DefaultChannelPipeline onUnhandledInbo
> undException
> WARNING: An exceptionCaught() event was fired, and it reached at the tail of the
> pipeline. It usually means the last handler in the pipeline did not handle the
> exception.
> io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Ge
> neral SSLEngine problem
> at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageD
> ecoder.java:459)
> at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessage
> Decoder.java:265)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
> ractChannelHandlerContext.java:362)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
> ractChannelHandlerContext.java:348)
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(Abstra
> ctChannelHandlerContext.java:340)
> at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(Defau
> ltChannelPipeline.java:1359)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
> ractChannelHandlerContext.java:362)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
> ractChannelHandlerContext.java:348)
> at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChanne
> lPipeline.java:935)
> at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(Abstra
> ctNioByteChannel.java:141)
> at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.jav
> a:645)
> at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEve
> ntLoop.java:580)
> at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.ja
> va:497)
> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
> at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThread
> EventExecutor.java:886)
> at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalR
> unnable.java:30)
> at java.lang.Thread.run(Unknown Source)
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
> at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
> at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.jav
> a:292)
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1248)
> at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1
> 159)
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1194)
> at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProte
> ction(ByteToMessageDecoder.java:489)
> at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageD
> ecoder.java:428)
> ... 16 more
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Alerts.getSSLException(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
> at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
> at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
> at sun.security.ssl.Handshaker.processLoop(Unknown Source)
> at sun.security.ssl.Handshaker$1.run(Unknown Source)
> at sun.security.ssl.Handshaker$1.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
> at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:140
> 8)
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1316)
> ... 20 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
> d certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> at sun.security.validator.Validator.validate(Unknown Source)
> at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Sour
> ce)
> ... 29 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Sourc
> e)
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
> Source)
> at java.security.cert.CertPathBuilder.build(Unknown Source)
> ... 35 more
任何人都可以建議任何選擇嗎?
答案1
因此,我發現我在使用 Search Guard 外掛程式的 ElasticSearch 中用於 TLS 的憑證並不存在於我的 JVM 信任庫中。因此,當我執行 excelastic jar 檔案時,它會顯示此錯誤。
Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
d certification path to requested target
為了解決這個問題:
首先,我使用 Windows 中的 keytool 命令列工具建立了一個信任庫。
$keytool -importcert -keystore mytruststore.jks -alias excelastictry -file servercert.pem
然後我在運行時提供了 trustStore 路徑,同時執行 excelastic.jar 文件,如下所示
$java -Djavax.net.ssl.trustStore="path/to/mytruststore.jks" -jar excelastic-1.2.7.jar
最終 excelastic 入口網站能夠識別 ES 版本並上傳資料。