官网有更简单的办法 https://github.com/lmenezes/cerebro/issues/456
以下是我自已搞的办法,只对cerebro的场景而言不是很方便,但算是一个java/jvm栈通用的自签ssl证书https访问信任的解决办法
cerebro倒是可以访问https 但是opendistro es 默认集成的es 就是https服务,且是自签证书,这涉及到一个https证书认证的问题,未经机构认证的自签证书会报风险 浏览器的风险应该很熟悉了,手动操作,部分版本chrome浏览要求键盘输入thisisunsafe
cerebro未信任则报错
[info] p.c.s.AkkaHttpServer - Listening for HTTP on /0.0.0.0:9000
[error] p.a.h.DefaultHttpErrorHandler -
! @7ipkmli1l - Internal server error, for (POST) [/connect] ->
play.api.UnexpectedException: Unexpected exception[ConnectException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target]
at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:331)
at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:253)
at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:424)
at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:420)
at scala.concurrent.Future.$anonfun$recoverWith$1(Future.scala:417)
Caused by: java.net.ConnectException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certificat
ion path to requested target
at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener.onFailure(NettyConnectListener.java:179)
at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener$1.onFailure(NettyConnectListener.java:151)
at play.shaded.ahc.org.asynchttpclient.netty.SimpleFutureListener.operationComplete(SimpleFutureListener.java:26)
at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:577)
at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:570)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
切换为正式证书通过域名访问可以避免,在没有正式证书的前提下,需要手动操作信任,cerebro是java技术栈的服务,本质是个jvm进程
因为cerebro是jvm栈的服务统一用jvm添加证书信任的方式
/usr/local/openjdk-11/lib/security/cacerts
需要在 cerebro 信任证书才可以访问成功
keytool -list -cacerts -keystore $JAVA_HOME/lib/security/cacerts
$JAVA_HOME/lib/security/cacerts 的默认密码为 changeit
证书添加方式参考,添加信任后,cerebro即不会再报ssl相关错误,其他java类服务也是同理,若jvm服务通过docker布署,可以直接把证书打包进docker image
ws-xmlrpc - Using SSL (apache.org)
default passwd changeit
keytool -export -alias tomcat -rfc -file tomcat.crt
keytool -import -alias servercert -file tomcat.crt -keystore truststore
具体操作
- 信任证书
keytool -importcert -trustcacerts -alias esnode.pem -file /root/esnode.pem -keystore $JAVA_HOME/lib/security/cacerts
esnode.pem
ls /usr/share/elasticsearch/config/
elasticsearch.keystore elasticsearch.yml esnode-key.pem esnode.pem jvm.options jvm.options.d kirk-key.pem kirk.pem log4j2.properties opendistro-reports-scheduler root-ca.pem
- 添加host域名解析
echo '172.17.0.4 node-0.example.com' >> /etc/hosts
- restart cerebro
End