使用 letsencrypt 的 Elasticsearch Shield SSL 无法签署 csr 错误
Elasticsearch Shield SSL with letsencrypt failed to sign csr ERROR
我正在尝试签署 csr 文件以通过 letsencrypt 获得签名证书并将其与 Elasticsearch Shield 一起使用。
正在创建 csr 文件:
cd CONFIG_DIR/shield
keytool -importcert -keystore node01.jks -file letsencrypt_public.pem -alias letsencrypt
keytool -genkey -alias node01 -keystore node01.jks -keyalg RSA -keysize 2048 -validity 712 -ext san=dns:domain.com,ip:11.11.11.11
keytool -certreq -alias node01 -keystore node01.jks -file node01.csr -keyalg rsa -ext san=dns:domain.com,ip:11.11.11.11
使用letsencrypt官方客户端:
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help
sudo ./letsencrypt-auto auth --csr /etc/elasticsearch/shield/node01.csr
输出:
etc/elasticsearch/shield/node01.csr
Checking for new version...
Requesting root privileges to run letsencrypt...
/home/usera/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade auth --csr /etc/elasticsearch/shield/node01.csr
No handlers could be found for logger "letsencrypt.crypto_util"
An unexpected error occurred:
The server experienced an internal error :: Error creating new cert
Please see the logfiles in /var/log/letsencrypt for more details.
错误日志:
raise errors.NoInstallationError
2016-02-21 12:24:30,042:DEBUG:letsencrypt.plugins.disco:Other error: (PluginEntryPoint#webroot): Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with -- help webroot for examples.
2016-02-21 12:24:34,354:DEBUG:root:Received <Response [500]>. Headers: {'Content-Length': '88', 'Expires': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Server': 'nginx', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'ldZn123451Bb5D1234godjteu1VLjZ5o7eolv'}. Content: '{"type":"urn:acme:error:serverInternal","detail":"Error creating new cert","status":500}'
2016-02-21 12:24:34,354:DEBUG:acme.client:Received response <Response [500]> (headers: {'Content-Length': '88', 'Expires': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Server': 'nginx', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'ldZn123451Bb5D1234godjteu1VLjZ5ov'}): '{"type":"urn:acme:error:serverInternal","detail":"Error creating new cert","status":500}'
Error: urn:acme:error:serverInternal :: The server experienced an internal error :: Error creating new cert
我想当我让 Shield 工作时我会关闭 nginx,所以这里有什么问题?为什么我不能签署 csr 文件?
问题是 csr generated in wrong format.
set ssl in shield的完整解法是:
一个。安装 letsencrypt 并从 letsencrypt:
获取 public cacert.pem
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help
mkdir letsencrypt/public_pem
mv /home/ubuntu/cacert.pem letsencrypt/public_pem
b。创建节点密钥库并使用 Java Keytool:
导入您的 CA 证书
cd CONFIG_DIR/shield
sudo keytool -importcert -keystore node01.jks -file /home/ubuntu/letsencrypt/public_pem/cacert.pem -alias letsencrypt
c。使用 Java Keytool:
为节点生成私钥和证书
sudo keytool -genkey -alias node01 -keystore node01.jks -keyalg RSA -keysize 2048 -validity 712 -ext san=dns:domain.com
Enter keystore password:
What is your first and last name?
[Unknown]: domain.com
What is the name of your organizational unit?
[Unknown]: domain.com
What is the name of your organizational?
[Unknown]: domain
What is the name of your City or Locality?
[Unknown]: Tel Aviv
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: IL
Is CN=domain.com, OU=domain.com, O=domain, L=Tel Aviv, ST=Unknown,
C=IL correct?
[no]: yes
d。创建证书签名请求 (CSR):
sudo keytool -certreq -alias node01 -keystore node01.jks -file node01.csr -keyalg rsa -ext san=dns:domain.com
sudo openssl req -outform der -in node01.csr -out node01.der
sudo openssl req -inform der -in node01.der -text -noout
e。将证书发送给您的 CA 进行签名:
cd letsencrypt
./letsencrypt-auto auth --csr /etc/elasticsearch/shield/node01.der
Checking for new version...
Requesting root privileges to run letsencrypt...
sudo /home/ubuntu/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade auth --csr /etc/elasticsearch/shield/node01.der
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/home/ubuntu/letsencrypt/0001_chain.pem. Your cert will expire on
2016-05-22. To obtain a new version of the certificate in the
future, simply run Let's Encrypt again.
f。添加到 jks 并编辑 yml:
cd CONFIG_DIR/shield
sudo keytool -importcert -keystore node01.jks -file /home/ubuntu/letsencrypt/0001_chain.pem -alias node01
cd ..
sudo nano elasticsearch.yml
shield.ssl.keystore.path: /etc/elasticsearch/shield/node01.jks
shield.ssl.keystore.password: pass
shield.transport.ssl: true
shield.http.ssl: true
discovery.zen.ping_timeout: 30s
克。重启 Elasticsearch(不需要 nginx)。
我正在尝试签署 csr 文件以通过 letsencrypt 获得签名证书并将其与 Elasticsearch Shield 一起使用。
正在创建 csr 文件:
cd CONFIG_DIR/shield
keytool -importcert -keystore node01.jks -file letsencrypt_public.pem -alias letsencrypt
keytool -genkey -alias node01 -keystore node01.jks -keyalg RSA -keysize 2048 -validity 712 -ext san=dns:domain.com,ip:11.11.11.11
keytool -certreq -alias node01 -keystore node01.jks -file node01.csr -keyalg rsa -ext san=dns:domain.com,ip:11.11.11.11
使用letsencrypt官方客户端:
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help
sudo ./letsencrypt-auto auth --csr /etc/elasticsearch/shield/node01.csr
输出:
etc/elasticsearch/shield/node01.csr
Checking for new version...
Requesting root privileges to run letsencrypt...
/home/usera/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade auth --csr /etc/elasticsearch/shield/node01.csr
No handlers could be found for logger "letsencrypt.crypto_util"
An unexpected error occurred:
The server experienced an internal error :: Error creating new cert
Please see the logfiles in /var/log/letsencrypt for more details.
错误日志:
raise errors.NoInstallationError
2016-02-21 12:24:30,042:DEBUG:letsencrypt.plugins.disco:Other error: (PluginEntryPoint#webroot): Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with -- help webroot for examples.
2016-02-21 12:24:34,354:DEBUG:root:Received <Response [500]>. Headers: {'Content-Length': '88', 'Expires': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Server': 'nginx', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'ldZn123451Bb5D1234godjteu1VLjZ5o7eolv'}. Content: '{"type":"urn:acme:error:serverInternal","detail":"Error creating new cert","status":500}'
2016-02-21 12:24:34,354:DEBUG:acme.client:Received response <Response [500]> (headers: {'Content-Length': '88', 'Expires': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Server': 'nginx', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'ldZn123451Bb5D1234godjteu1VLjZ5ov'}): '{"type":"urn:acme:error:serverInternal","detail":"Error creating new cert","status":500}'
Error: urn:acme:error:serverInternal :: The server experienced an internal error :: Error creating new cert
我想当我让 Shield 工作时我会关闭 nginx,所以这里有什么问题?为什么我不能签署 csr 文件?
问题是 csr generated in wrong format.
set ssl in shield的完整解法是:
一个。安装 letsencrypt 并从 letsencrypt:
获取 public cacert.pem git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help
mkdir letsencrypt/public_pem
mv /home/ubuntu/cacert.pem letsencrypt/public_pem
b。创建节点密钥库并使用 Java Keytool:
导入您的 CA 证书 cd CONFIG_DIR/shield
sudo keytool -importcert -keystore node01.jks -file /home/ubuntu/letsencrypt/public_pem/cacert.pem -alias letsencrypt
c。使用 Java Keytool:
为节点生成私钥和证书 sudo keytool -genkey -alias node01 -keystore node01.jks -keyalg RSA -keysize 2048 -validity 712 -ext san=dns:domain.com
Enter keystore password:
What is your first and last name?
[Unknown]: domain.com
What is the name of your organizational unit?
[Unknown]: domain.com
What is the name of your organizational?
[Unknown]: domain
What is the name of your City or Locality?
[Unknown]: Tel Aviv
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: IL
Is CN=domain.com, OU=domain.com, O=domain, L=Tel Aviv, ST=Unknown,
C=IL correct?
[no]: yes
d。创建证书签名请求 (CSR):
sudo keytool -certreq -alias node01 -keystore node01.jks -file node01.csr -keyalg rsa -ext san=dns:domain.com
sudo openssl req -outform der -in node01.csr -out node01.der
sudo openssl req -inform der -in node01.der -text -noout
e。将证书发送给您的 CA 进行签名:
cd letsencrypt
./letsencrypt-auto auth --csr /etc/elasticsearch/shield/node01.der
Checking for new version...
Requesting root privileges to run letsencrypt...
sudo /home/ubuntu/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade auth --csr /etc/elasticsearch/shield/node01.der
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/home/ubuntu/letsencrypt/0001_chain.pem. Your cert will expire on
2016-05-22. To obtain a new version of the certificate in the
future, simply run Let's Encrypt again.
f。添加到 jks 并编辑 yml:
cd CONFIG_DIR/shield
sudo keytool -importcert -keystore node01.jks -file /home/ubuntu/letsencrypt/0001_chain.pem -alias node01
cd ..
sudo nano elasticsearch.yml
shield.ssl.keystore.path: /etc/elasticsearch/shield/node01.jks
shield.ssl.keystore.password: pass
shield.transport.ssl: true
shield.http.ssl: true
discovery.zen.ping_timeout: 30s
克。重启 Elasticsearch(不需要 nginx)。