• 布署elasticsearch集群监控服务cerebro 访问https的证书问题


    官网有更简单的办法 https://github.com/lmenezes/cerebro/issues/456

    以下是我自已搞的办法,只对cerebro的场景而言不是很方便,但算是一个java/jvm栈通用的自签ssl证书https访问信任的解决办法

    cerebro倒是可以访问https 但是opendistro es 默认集成的es 就是https服务,且是自签证书,这涉及到一个https证书认证的问题,未经机构认证的自签证书会报风险 浏览器的风险应该很熟悉了,手动操作,部分版本chrome浏览要求键盘输入thisisunsafe cerebro未信任则报错

    [info] p.c.s.AkkaHttpServer - Listening for HTTP on /0.0.0.0:9000
    [error] p.a.h.DefaultHttpErrorHandler -
    ! @7ipkmli1l - Internal server error, for (POST) [/connect] ->
    play.api.UnexpectedException: Unexpected exception[ConnectException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
    unable to find valid certification path to requested target]
    	at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:331)
    	at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:253)
    	at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:424)
    	at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:420)
    	at scala.concurrent.Future.$anonfun$recoverWith$1(Future.scala:417)
    Caused by: java.net.ConnectException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certificat
    ion path to requested target
    	at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener.onFailure(NettyConnectListener.java:179)
    	at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener$1.onFailure(NettyConnectListener.java:151)
    	at play.shaded.ahc.org.asynchttpclient.netty.SimpleFutureListener.operationComplete(SimpleFutureListener.java:26)
    	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:577)
    	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:570)
    Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
    certification path to requested target
    	at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
    	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
    

    切换为正式证书通过域名访问可以避免,在没有正式证书的前提下,需要手动操作信任,cerebro是java技术栈的服务,本质是个jvm进程

    因为cerebro是jvm栈的服务统一用jvm添加证书信任的方式

    /usr/local/openjdk-11/lib/security/cacerts

    需要在 cerebro 信任证书才可以访问成功

    keytool -list -cacerts -keystore $JAVA_HOME/lib/security/cacerts

    $JAVA_HOME/lib/security/cacerts 的默认密码为 changeit

    证书添加方式参考,添加信任后,cerebro即不会再报ssl相关错误,其他java类服务也是同理,若jvm服务通过docker布署,可以直接把证书打包进docker image

    ws-xmlrpc - Using SSL (apache.org)

    default passwd changeit
    
    keytool -export -alias tomcat -rfc -file tomcat.crt
    
    keytool -import -alias servercert -file tomcat.crt -keystore truststore
    

    具体操作

    • 信任证书
      keytool -importcert -trustcacerts -alias esnode.pem -file /root/esnode.pem -keystore $JAVA_HOME/lib/security/cacerts

    esnode.pem
    ls /usr/share/elasticsearch/config/
    elasticsearch.keystore elasticsearch.yml esnode-key.pem esnode.pem jvm.options jvm.options.d kirk-key.pem kirk.pem log4j2.properties opendistro-reports-scheduler root-ca.pem

    • 添加host域名解析

    echo '172.17.0.4 node-0.example.com' >> /etc/hosts

    Screen Shot 2021-03-21 at 11.27.29 AM

    Screen Shot 2021-03-21 at 11.28.23 AM

    • restart cerebro

    Screen Shot 2021-03-21 at 11.23.00 AM

    End

  • 相关阅读:
    pip install 报错xcrun: error: active developer path ("/Applications/Xcode.app/Contents/Developer") does not exist
    python virtualenv安装并指定python版本
    python安装ldap报错
    linux服务查看安装目录
    python利用paramiko执行服务器命令
    Python subprocess模块
    Django定义全局变量
    uwsgi: invalid option -- 'x'
    将博客搬至CSDN
    jpeg图片格式编解码移植(1)
  • 原文地址:https://www.cnblogs.com/zihunqingxin/p/14575112.html
Copyright © 2020-2023  润新知