0

我从 DigiCert 购买了证书。所以我得到了文件;DigiCertCA.crt, mydomain_com.crt mydomain_com.key

我将我的 logstash 配置更改为这个;

tcp {
    type => "AppLog"
    port => 5656
    host => "mydomain.com"
    ssl_cacert => "C:/Certificates/DigiCertCA.crt"
    ssl_cert => "C:/Certificates/mydomain_com.crt"
    ssl_key => "C:/Certificates/mydomain_com.key"
    ssl_enable => true
    ssl_verify => true
}

然后将我的 nxlog 配置更改为此(在不同的机器上运行):

<Output App_Out>
    Module      om_ssl
    Host        mydomain.com
    Port        5656
    CAFile      C:\NxLogCerts\DigiCertCA.crt
    CertFile    C:\NxLogCerts\mydomain_com.crt
    OutputType  LineBased
</Output>

而且我尝试了许多不同的参数,删除了一些参数,在两侧添加了一些像 AllowUntrusted 等。没运气。

用openssl测试;

$ openssl s_client -CAfile DigiCertCA.pem -connect mydomain.com:5960
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = CountryCode, ST = State, L = City, O = CompanyName AS, CN = mydomain.com
verify return:1
---
Certificate chain
 0 s:/C=CountryCode/ST=State/L=City/O=CompanyName/CN=mydomain.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
CERTIFICATE
-----END CERTIFICATE-----
subject=/C=CountryCode/ST=State/L=City/O=XompanyName/CN=mydomain.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1801 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: -----------Removed
    Session-ID-ctx:
    Master-Key: -----------Removed
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1441375513
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

哪个看起来不错..?

任何指示找出实际问题是什么?我做错了吗?

编辑:当然我忘记了错误信息;在 nxlog-client 发送到 logstash

2015-09-04 16:17:21 INFO nxlog-ce-2.9.1347 started
2015-09-04 16:17:21 INFO connecting to mydomain.com:5960
2015-09-04 16:17:21 INFO successfully connected to mydomain.com:5960
2015-09-04 16:17:21 INFO reconnecting in 1 seconds
2015-09-04 16:17:21 ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)
2015-09-04 16:17:22 INFO connecting to mydomain.com:5960
2015-09-04 16:17:22 INFO successfully connected to mydomain.com:5960
2015-09-04 16:17:22 INFO reconnecting in 1 seconds
2015-09-04 16:17:22 ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)

在logstash服务器上

{:timestamp=>"2015-09-04T16:25:52.976000+0200", :message=>"SSL Error", :exception=>#<OpenSSL::SSL::SSLError: Unrecognized SSL message, plaintext connection?>, :backtrace=>["org/jruby/ext/openssl/SSLSocket.java:238:in `accept'", "C:/elkstack/logstash-1.5.3/vendor/jruby/lib/ruby/shared/jopenssl19/openssl/ssl-internal.rb:142:in `accept'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-1.0.0/lib/logstash/inputs/tcp.rb:182:in `run_server'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-1.0.0/lib/logstash/inputs/tcp.rb:170:in `run'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:177:in `inputworker'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:171:in `start_input'"], :level=>:error}
{:timestamp=>"2015-09-04T16:25:53.992000+0200", :message=>"SSL Error", :exception=>#<OpenSSL::SSL::SSLError: Unrecognized SSL message, plaintext connection?>, :backtrace=>["org/jruby/ext/openssl/SSLSocket.java:238:in `accept'", "C:/elkstack/logstash-1.5.3/vendor/jruby/lib/ruby/shared/jopenssl19/openssl/ssl-internal.rb:142:in `accept'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-1.0.0/lib/logstash/inputs/tcp.rb:182:in `run_server'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-1.0.0/lib/logstash/inputs/tcp.rb:170:in `run'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:177:in `inputworker'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:171:in `start_input'"], :level=>:error}
4

2 回答 2

0
  • 由于您没有发布任何错误消息,因此我无法真正说出问题所在。
  • 为此购买证书是浪费钱。您应该创建自己的 CA 证书(例如使用 openssl),然后为每个实体生成证书+密钥对。网上有很多howtos。
  • om_ssl 通常需要CertKeyFileCertFile
  • 您运行的openssl s_client测试未验证(有一个-verify开关),另一方面证书验证在两端都打开。
  • 尝试使用AllowUntrusted TRUE看看是否有帮助。
于 2015-09-05T08:39:12.450 回答
0

我对 awesant 和 logstash 也有类似的问题,我也在使用 DigiCert 证书。就我而言,问题是其中一个端点没有完整的证书链。

我创建了一个文件“x”,并在其中放入了 DigiCertCA.crt 和 TrustedRoot.crt 内容,并使用该文件作为 CA 证书,一切似乎都很好。

于 2015-09-08T15:37:57.803 回答