sg_config.yml (11.2 KB) elasticsearch.yml (4.7 KB)
Hello.
implementation ‘com.floragunn:search-guard-ssl:6.5.3-25.6’
elascticsearch version 6.5.3
searchGuard version 6
i created certificates on this manual Offline TLS Tool | Security for Elasticsearch | Search Guard
after it a have this keys
kirk.key
kirk.pem
node1.key
node1.pem
root-ca.key
root-ca.pem
acces to elascticsearch work fine https://localhost:9200/_searchguard/authinfo
with curl i can get aceess only with this param
curl --cacert root-ca.pem -u admin:admin -XGET “https://localhost:9200/_mapping”
with certificate node1.pem a have error:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
- why?
then look on this manual : Security for Elasticsearch | Using Transport Clients | Search Guard
with keystore and truestore i cath error: “ElasticsearchSecurityException No certificates found in keystore with alias server-crt”
then i set params without keystore lije this:
@Bean
public Client client() throws UnknownHostException {
Settings settings = Settings.builder()
.put(“cluster.name”, clusterName)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, CONST + “node1.key”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH, CONST + “node1.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, CONST + “root-ca.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, false)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, false)
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED, true)
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMCERT_FILEPATH, CONST + “node1.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMKEY_FILEPATH, CONST + “node1.key”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, CONST + “root-ca.pem”)
.build();
TransportClient client = new PreBuiltTransportClient(settings, SearchGuardSSLPlugin.class);
client.addTransportAddress(new TransportAddress(InetAddress.getByName(esHost), esPort));
return client;
}
elasticsearch.log
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 455300000027000000000000000d08004d3603000016696e7465726e616c3a7463702f68616e647368616b6500
application.log
2019-10-23 12:14:14.244 ERROR 10877 — [ main] .d.e.r.s.AbstractElasticsearchRepository : failed to load elasticsearch nodes : org.elasticsearch.client.transport.NoNodeAvailableException: None of the configured nodes are available: [{#transport#-1}{8T3BU7CHQKyWYuwR98fJfA}{127.0.0.1}{127.0.0.1:9300}]
Now I do not know what to do.