http 開啟TLS,使用 PKI 驗證 client 憑證 xpack.security.http.ssl.certificate_authorities : /etc/elasticsearch/certs/ca.crt xpack.security.http.ssl.verification_mode : certificate xpack.security.http.ssl.client_authentication : optional xpack.security.authc.realms.pki.realm1.order : 1 發現一直出現錯誤訊息,CA憑證是信任的但是還是建立連線失敗? 太詭異了! [2022-01-21T16:51:33,810][WARN ][o.e.c.s.DiagnosticTrustManager] [ES01] failed to establish trust with client at [<unknown host>]; the client provided a certificate with subject name [CN=ES01,DC=TW] and fingerprint [d33df0ef4c412115585e3f90dfdbccc696044232]; the certificate is issued by [CN=ROOT CA,DC=TW]; the certificate is signed by (subject [CN=ROOT CA,DC=TW] fingerprint [2b2f8bc39a8a84d640b3cf6cdbe659316ffe1e97] {trusted issuer}) which is self-issued; the [CN=ROOT CA,DC=TW] certificate is trusted in this ssl context ([xpack.security.http.ssl]) 錯誤訊息往下看 Extended key usage does not permit use for TLS client authentication 原來使用工具產生的憑證,extKeyUsage 都會包含 clientAu...