0

我在 kubernetes 中为 elasticsearch(v1.0.2) 运行 opendistro。我已经用我自己的自签名证书初始化了 elasticsearch。

弹性搜索.yml:

opendistro_security.ssl.transport.pemcert_filepath: certs/node.pem
opendistro_security.ssl.transport.pemkey_filepath: certs/node-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: certs/root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false

opendistro_security.ssl.http.enabled: ${SSL_ENABLE} ## <--- true
opendistro_security.ssl.http.pemcert_filepath: certs/client.pem
opendistro_security.ssl.http.pemkey_filepath: certs/client-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: certs/root-ca.pem
opendistro_security.allow_default_init_securityindex: true

"crypto/<>"我使用 go packagespkcs8格式生成了这些证书。

客户端密钥.pem:

-----BEGIN PRIVATE KEY-----
.....5UTLoSD7oYA8gOMBf2qkySSL.....
-----END PRIVATE KEY-----

客户端.pem:

-----BEGIN CERTIFICATE-----
.....lXt7yTNrpY0WfGJmGxzy...
-----END CERTIFICATE-----

因此elasticsearch成功初始化:

[2020-07-25T06:55:01,565][INFO ][c.a.o.s.c.ConfigurationRepository] [elasticsearch-datgp5-0] Node 'elasticsearch-datgp5-0' initialized

$ curl -XGET "https://localhost:9200/_cluster/health?pretty" -u "admin:XXXX" --insecure
{
  "cluster_name" : "topology-es",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 1,
  "active_shards" : 1,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

但是当我 go-client--insecure模式下尝试同样的事情时,会出现以下错误:

[2020-07-25T06:55:28,653][错误][caosshnOpenDistroSecuritySSLNettyHttpServerTransport] [elasticsearch-datgp5-0] SSL 问题 pre_shared_key 密钥扩展提供了没有 psk_key_exchange_modes 扩展 javax.net.ssl.SSLHandshakeException: pre_shared_key 密钥扩展提供没有psk_key_exchange_modes 扩展

我如何创建 go-client:

// esv7 "github.com/olivere/elastic/v7"

client, err := esv7.NewClient(
            esv7.SetHttpClient(&http.Client{
                Timeout: 0,
                Transport: &http.Transport{
                    TLSClientConfig: &tls.Config{
                        InsecureSkipVerify: true,
                    },
                },
            }),
            esv7.SetBasicAuth(string(secret.Data[KeyAdminUserName]), string(secret.Data[KeyAdminPassword])),
            esv7.SetURL(url),
            esv7.SetHealthcheck(false),
            esv7.SetSniff(false),
        )
        if err != nil {
            return nil, err
        }
  • 这个错误是什么意思?如何解决?
  • 任何想法,我做错了什么?如何调试?
4

0 回答 0