ping 期间发现的主节点不足 - Elasticsearch 集群自签名证书
not enough master nodes discovered during pinging - Elasticsearch cluster self signed certificate
我在 this guide
之后使用 SearchGuard 加密 ElasticSearch 集群中的节点
大师:
cluster.name: client1
searchguard.enterprise_modules_enabled: false
node.name: ekl.test.com
node.master: true
node.data: true
node.ingest: true
network.host: 0.0.0.0
#http.host: 0.0.0.0
network.publish_host: ["ekl1.test1.com","ekl.test.com"]
http.port: 9200
discovery.zen.ping.unicast.hosts: ["ekl.test.com", "ekl1.test1.com"]
discovery.zen.minimum_master_nodes: 1
xpack.security.enabled: false
searchguard.ssl.transport.pemcert_filepath: '/etc/elasticsearch/ssl/node1.pem'
searchguard.ssl.transport.pemkey_filepath: 'ssl/node1.key'
searchguard.ssl.transport.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: '/etc/elasticsearch/ssl/node1_http.pem'
searchguard.ssl.http.pemkey_filepath: '/etc/elasticsearch/ssl/node1_http.key'
searchguard.ssl.http.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.nodes_dn:
- CN=ekl.test.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
- CN=ekl1.test1.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
searchguard.authcz.admin_dn:
- CN=admin.test.com,OU=Ops,O=BugBear Com\, Inc.,DC=example,DC=com
节点:
cluster.name: client1
searchguard.enterprise_modules_enabled: false
node.name: ekl1.test.com
node.master: false
node.data: true
node.ingest: false
network.host: 0.0.0.0
#http.host: 0.0.0.0
network.publish_host: ["ekl1.test1.com","ekl.test.com"]
http.port: 9200
discovery.zen.ping.unicast.hosts: ["ekl.test.com", "ekl1.test1.com"]
discovery.zen.minimum_master_nodes: 1
xpack.security.enabled: false
searchguard.ssl.transport.pemcert_filepath: '/etc/elasticsearch/ssl/node2.pem'
searchguard.ssl.transport.pemkey_filepath: 'ssl/node2.key'
searchguard.ssl.transport.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: '/etc/elasticsearch/ssl/node2_http.pem'
searchguard.ssl.http.pemkey_filepath: '/etc/elasticsearch/ssl/node2_http.key'
searchguard.ssl.http.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.nodes_dn:
- CN=ekl.test.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
- CN=ekl1.test1.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
searchguard.authcz.admin_dn:
- CN=admin.test.com,OU=Ops,O=BugBear Com\, Inc.,DC=example,DC=com
Certificates are self-signed
从节点我可以通过主机名远程登录到端口 9200/9300 我可以 ping 和
curl -kvX GET "https://admin:pass@ekl.test.com:9200" 工作正常。
节点错误:
[ekl1.test1.com] ping 期间发现主节点不足(找到 [],但需要 1),再次 ping
两个服务器名称都正确
我怀疑问题出在我将其导入受信任的根 CA 锚中的自签名证书中,但错误仍然存在。
如果我指定 IP 而不是主机名,则得到:
在 http 或传输请求中发现非法参数。
这意味着一个节点正在尝试连接到另一个节点
非节点证书(没有 OID 或 searchguard.nodes_dn 配置不正确)或某人
是欺骗请求。
ES Config path is /etc/elasticsearch
[2019-03-28T21:25:56,450][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] >[ekl1.test1.com] OpenSSL not available (this is not an error, we simply >fallback to built-in JDK SSL) because of java.lang.ClassNotFoundException: >io.netty.internal.tcnative.SSL
找到了:不得不添加到非主:
transport.tcp.port: 9300
discovery.zen.ping.unicast.hosts: ["ekl.test.com:9300"]
transport.host: ekl1.test1.com
我在 this guide
之后使用 SearchGuard 加密 ElasticSearch 集群中的节点大师:
cluster.name: client1
searchguard.enterprise_modules_enabled: false
node.name: ekl.test.com
node.master: true
node.data: true
node.ingest: true
network.host: 0.0.0.0
#http.host: 0.0.0.0
network.publish_host: ["ekl1.test1.com","ekl.test.com"]
http.port: 9200
discovery.zen.ping.unicast.hosts: ["ekl.test.com", "ekl1.test1.com"]
discovery.zen.minimum_master_nodes: 1
xpack.security.enabled: false
searchguard.ssl.transport.pemcert_filepath: '/etc/elasticsearch/ssl/node1.pem'
searchguard.ssl.transport.pemkey_filepath: 'ssl/node1.key'
searchguard.ssl.transport.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: '/etc/elasticsearch/ssl/node1_http.pem'
searchguard.ssl.http.pemkey_filepath: '/etc/elasticsearch/ssl/node1_http.key'
searchguard.ssl.http.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.nodes_dn:
- CN=ekl.test.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
- CN=ekl1.test1.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
searchguard.authcz.admin_dn:
- CN=admin.test.com,OU=Ops,O=BugBear Com\, Inc.,DC=example,DC=com
节点:
cluster.name: client1
searchguard.enterprise_modules_enabled: false
node.name: ekl1.test.com
node.master: false
node.data: true
node.ingest: false
network.host: 0.0.0.0
#http.host: 0.0.0.0
network.publish_host: ["ekl1.test1.com","ekl.test.com"]
http.port: 9200
discovery.zen.ping.unicast.hosts: ["ekl.test.com", "ekl1.test1.com"]
discovery.zen.minimum_master_nodes: 1
xpack.security.enabled: false
searchguard.ssl.transport.pemcert_filepath: '/etc/elasticsearch/ssl/node2.pem'
searchguard.ssl.transport.pemkey_filepath: 'ssl/node2.key'
searchguard.ssl.transport.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: '/etc/elasticsearch/ssl/node2_http.pem'
searchguard.ssl.http.pemkey_filepath: '/etc/elasticsearch/ssl/node2_http.key'
searchguard.ssl.http.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.nodes_dn:
- CN=ekl.test.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
- CN=ekl1.test1.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
searchguard.authcz.admin_dn:
- CN=admin.test.com,OU=Ops,O=BugBear Com\, Inc.,DC=example,DC=com
Certificates are self-signed
从节点我可以通过主机名远程登录到端口 9200/9300 我可以 ping 和
curl -kvX GET "https://admin:pass@ekl.test.com:9200" 工作正常。 节点错误:
[ekl1.test1.com] ping 期间发现主节点不足(找到 [],但需要 1),再次 ping
两个服务器名称都正确
我怀疑问题出在我将其导入受信任的根 CA 锚中的自签名证书中,但错误仍然存在。
如果我指定 IP 而不是主机名,则得到:
在 http 或传输请求中发现非法参数。 这意味着一个节点正在尝试连接到另一个节点 非节点证书(没有 OID 或 searchguard.nodes_dn 配置不正确)或某人 是欺骗请求。
ES Config path is /etc/elasticsearch [2019-03-28T21:25:56,450][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] >[ekl1.test1.com] OpenSSL not available (this is not an error, we simply >fallback to built-in JDK SSL) because of java.lang.ClassNotFoundException: >io.netty.internal.tcnative.SSL
找到了:不得不添加到非主:
transport.tcp.port: 9300
discovery.zen.ping.unicast.hosts: ["ekl.test.com:9300"]
transport.host: ekl1.test1.com