http 開啟TLS,使用 PKI 驗證 client 憑證
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca.crt
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.client_authentication: optional
xpack.security.authc.realms.pki.realm1.order: 1
發現一直出現錯誤訊息,CA憑證是信任的但是還是建立連線失敗?
太詭異了!
[2022-01-21T16:51:33,810][WARN ][o.e.c.s.DiagnosticTrustManager] [ES01] failed to establish trust with client at [<unknown host>]; the client provided a certificate with subject name [CN=ES01,DC=TW] and fingerprint [d33df0ef4c412115585e3f90dfdbccc696044232]; the certificate is issued by [CN=ROOT CA,DC=TW]; the certificate is signed by (subject [CN=ROOT CA,DC=TW] fingerprint [2b2f8bc39a8a84d640b3cf6cdbe659316ffe1e97] {trusted issuer}) which is self-issued; the [CN=ROOT CA,DC=TW] certificate is trusted in this ssl context ([xpack.security.http.ssl])
錯誤訊息往下看
Extended key usage does not permit use for TLS client authentication
原來使用工具產生的憑證,extKeyUsage 都會包含 clientAuth 與 serverAuth
而我剛剛好是用公司的CA產出,少了clientAuth,難怪驗不過去!!
參考
keyUsage :
digitalSignature,keyEncipherment
1.3.6.1.4.1.311.21.7 :
extKeyUsage :
serverAuth
1.3.6.1.4.1.311.21.10 :
留言
張貼留言