經驗值上升中☆

  http 開啟TLS，使用 PKI 驗證 client 憑證 xpack.security.http.ssl.certificate_authorities : /etc/elasticsearch/certs/ca.crt xpack.security.http.ssl.verification_mode : certificate xpack.security.http.ssl.client_authentication : optional xpack.security.authc.realms.pki.realm1.order : 1 發現一直出現錯誤訊息，CA憑證是信任的但是還是建立連線失敗? 太詭異了! [2022-01-21T16:51:33,810][WARN ][o.e.c.s.DiagnosticTrustManager] [ES01] failed to establish trust with client at [<unknown host>]; the client provided a certificate with subject name [CN=ES01,DC=TW] and fingerprint [d33df0ef4c412115585e3f90dfdbccc696044232]; the certificate is issued by [CN=ROOT CA,DC=TW]; the certificate is signed by (subject [CN=ROOT CA,DC=TW] fingerprint [2b2f8bc39a8a84d640b3cf6cdbe659316ffe1e97] {trusted issuer}) which is self-issued; the [CN=ROOT CA,DC=TW] certificate is trusted in this ssl context ([xpack.security.http.ssl]) 錯誤訊息往下看 Extended key usage does not permit use for TLS client authentication 原來使用工具產生的憑證，extKeyUsage 都會包含 clientAuth 與

 設定完TLS 發現只能本機用IP連,使用127.0.0.1及localhost無法連線 其他主機也都無法連線  Comment curl https://localhost:9200 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:9200 在 elasticsearch_audit 發現 { "type" : "audit" , "timestamp" : "2022-01-20T12:57:57,621+0800" , "node.id" : "tUCQb6ADSLaZHr4VU8w7WA" , "event.type" : "ip_filter" , "event.action" : "connection_denied" , "origin.type" : "rest" , "origin.address" : "127.0.0.1" , "transport.profile" : ".http" , "rule" : "deny _all" } 原來是之前設定到，但沒啟用security所以沒生效 curl "https://IP:9200/_cluster/settings?pretty" { "persistent" : { "cluster" : { "max_shards_per_node" : "2000" }, "xpack" : { "monitoring" : { "