0

我正在尝试在 Elasticsearch 集群上为客户端设置 HTTPS。当我通过以下命令使用 certbot 从集群生成 SSL 证书时,它工作正常:

certbot certonly --standalone

我的 Elasticsearch 集群配置如下:

# elasticsearch.yml

cluster.initial_master_nodes: 10.132.0.3
cluster.name: elasticsearch
discovery.seed_hosts: 10.132.0.3:9200
network.host: 10.132.0.3
node.name: node-1
xpack.security.http.ssl.certificate: /etc/elasticsearch/ssl/my-subdomain.XXXX.com/fullchain.pem
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/ssl/my-subdomain.XXXX.com/privkey.pem
xpack.security.http.ssl.verification_mode: certificate
xpack.security.transport.ssl.enabled: true

因此,我设法使用我的登录名和密码在我的 elasticsearch 上通过以下命令在 HTTPS 中进行身份验证:

curl https://my-subdomain.XXXX.com:9200 -u username:password

我的问题是我现在想做同样的操作,但是通过 Terraform 使用ACME 提供程序生成 SSL 证书 ,更准确地说是使用资源 "acme_certificate"。这是我的 Terraform 代码:

resource "acme_certificate" "elastic" {
  account_key_pem = acme_registration.account_registration.account_key_pem
  common_name = "${local.subdomain}.${var.domain_name}"

  dns_challenge {
    provider = "ovh"

    config = {
      OVH_ENDPOINT = var.ovh_endpoint
      OVH_APPLICATION_KEY = var.ovh_application_key
      OVH_APPLICATION_SECRET = var.ovh_application_secret
      OVH_CONSUMER_KEY = var.ovh_consumer_key
    }
  }
}

从 Terraform 资源“acme_certificate”我得到以下输出:

  • “certificate_pem”将成为我的“cert.pem”文件(但我没有在我的 Elasticsearch 设置中使用它)
  • “发行人_pem”
  • “private_key_pem”将成为我的“privkey.pem”文件

因此,我错过了通过将“certificate_pem”和“issuer_pem”关联起来构建的“fullchain.pem”文件,如下所示(我的错误可能在那里):

resource "local_file" "fullchain" {
  content = "${acme_certificate.elastic.certificate_pem}${acme_certificate.elastic.issuer_pem}"
  filename = "/my/local/path/fullchain.pem"
}

我的“fullchain.pem”文件如下所示:

-----BEGIN CERTIFICATE-----
MIIFQjCCBCqgAwIBAgISBBxb+NtLDbApYlOYScK3+iXjMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA4MjAxMzAzNDFaFw0yMTExMTgxMzAzNDBaMCkxJzAlBgNVBAMT
HmRhdGEtZWxhc3RpYy11YXQuMzYwbWVkaWNzLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMObjLj+EncIyg0NlJn2BM9KYtUhCWSPCK37T7EcPieF
Z1BcoIU0qKzIvwOLScv98GXd3FHf6tJCJ/uS9x+WhxDzR+94d4LShgl+vQ5rZmc6
GrIL7W/+pLUfGi81vMtDVRm/xG5NpKK2LjqJEPyZlQh6ydmYY1usyKNQXBTUOzlp
GWtYUgR9c6CBkr041moohaNpL+URGdA60Ul/UvxaZDzRBlLGnR+CyT4/Wh/4Hj8E
cw2EWqjxpQZ9jZLd/OHPq1+5mosqSVZ6qgVfM0d8l3db1DUlLFmYFrqH+8Gm+8cm
ev9Ho9Tg8mUye4AbFfN3h+zo94kflEZjBN5CmZmTZ1sCAwEAAaOCAlkwggJVMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQUuIHdFbQhRupc20jIB/NxFjzKxc0wHwYDVR0j
BBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsG
AQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6
Ly9yMy5pLmxlbmNyLm9yZy8wKQYDVR0RBCIwIIIeZGF0YS1lbGFzdGljLXVhdC4z
NjBtZWRpY3MuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEB
MCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYK
KwYBBAHWeQIEAgSB9QSB8gDwAHYARJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9Mz
lrW2gagAAAF7Y9/g0QAABAMARzBFAiEA3lbnbzdKvfS0XXt6xm0tlr/nxzWMK5hN
HUTCTmsIvr8CICHDYguCoKQbu4BJr8b8w6f61QvTMAyVrRCWlik8SYZ2AHYA9lyU
L9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF7Y9/grAAABAMARzBFAiEA
s0PVaOjanRy8ykpzhz6oja9lf1IBuLtOv07DJTWfQOoCIGft0IELso34PTZw8YnW
QkaNgEwijGjHiBe5ZM8UTHJXMA0GCSqGSIb3DQEBCwUAA4IBAQC3oKR21gY7xWc9
wTE8kAB9/ZHdF5/QuHCCR1aFMmmVwomdUs0ekKqc/fW/kPkAA3csePOosm6RjVfr
63MrPnRIDUHykeCTOeMNfvqHp6ePetBW0guaIOIWSbCJiavXSZBvpR8ctOQ/3JrZ
1/f5E/COL2ly6pYjqYg6M8wQEvC6z9qbq0uQ0eKcfbxtsWprvVUZNVasP3UnhNnD
hHaHRC4ZJOHIN+xC4v//x8soOcSY6okG/35XQq9JwH6Aie2RAhYeL9Ld26Fsz+Pk
uITGCclEL5bhLf+EtTN1hHMS4sfYwZ86zbgN6iOQOOTxGkotkF2Ct/jl8+WhGQdL
1vQ+n1Pb
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

以与使用相同的方式cerbot,我使用 Terraform 将我的证书注入 Elasticsearch 并验证 Elastic 用户是否具有正确的权限(使用chmodandchown命令) elasticsearch 服务重新启动正常,但是当我尝试连接时它给了我以下错误:

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

我不明白问题是什么,我的印象是 Terraform 返回的证书不正确。但是当我用 cerbot 测试它们的有效性时,一切似乎都很好:

openssl x509 -enddate -noout -in cert.pem       # notAfter=Nov 16 13:55:54 2021 GMT
openssl x509 -enddate -noout -in fullchain.pem  # notAfter=Nov 16 13:55:54 2021 GMT

谢谢你的帮助 !

4

0 回答 0