為什麼 SSL 在我的 2 台伺服器之間不起作用?
我有 2 台裝有 Ubuntu 18.04 的伺服器:
- monitoring.example.com(在單個伺服器上使用 ELK)
- www.example.com(使用 Filebeat)
在伺服器 ELK 上
創建目錄來儲存 SSL 證書
$ sudo mkdir -p /etc/elk-certs
生成 SSL 證書
$ sudo openssl req -subj '/CN=monitoring.example.com/' -x509 -days 3650 -batch -nodes -newkey rsa:4096 -keyout /etc/elk-certs/monitoring-example-com.key -out /etc/elk-certs/monitoring-example-com.crt
更改所有者
$ sudo chown logstash /etc/elk-certs/monitoring-example-com.crt $ sudo chown logstash /etc/elk-certs/monitoring-example-com.key
將 SSL 證書發送到客戶端伺服器
$ sudo scp /etc/elk-certs/monitoring-example-com.crt root@22.22.22.222:/tmp
在伺服器客戶端
創建用於儲存 SSL 證書的目錄
$ sudo mkdir -p /etc/elk-certs
將證書複製到目錄中
$ sudo mv /tmp/monitoring-example-com.crt /etc/elk-certs/
在伺服器 ELK 上
/etc/logstash/conf.d/logstash.conf
這是伺服器 monitoring.example.com 上的配置文件:input { beats { port => 5044 ssl => true ssl_certificate => "/etc/elk-certs/monitoring-example-com.crt" ssl_key => "/etc/elk-certs/monitoring-example-com.key" } } output { elasticsearch { hosts => ["localhost:9200"] manage_template => false index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" } }
重啟 Logstash
$ sudo systemctl restart logstash
在伺服器客戶端
/etc/filebeat/filebeat.yml
這是伺服器 www.example.com 上的配置文件:#----------------------------- Logstash output -------------------------------- output.logstash: # The Logstash hosts hosts: ["monitoring.example.com:5044"] # Optional SSL. By default is off. # List of root certificates for HTTPS server verifications ssl.certificate_authorities: ["/etc/elk-certs/monitoring-example-com.crt"] # Certificate for SSL client authentication #ssl.certificate: "/etc/elk-certs/monitoring-example-com.crt" # Client Certificate Key #ssl.key: "/etc/elk-certs/monitoring-example-com.key"
重啟 Filebeat
$ sudo systemctl restart filebeat
問題
$ curl -v --cacert /etc/elk-certs/monitoring-example-com.crt https://monitoring.example.com:5044
* Rebuilt URL to: https://monitoring.example.com:5044/ * Trying 2001:43d9:363:1000::2b16... * TCP_NODELAY set * Trying 51.95.207.228... * TCP_NODELAY set * Connected to monitoring.example.com (51.95.207.228) port 5044 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/elk-certs/monitoring-example-com.crt CApath: /etc/ssl/certs * (304) (OUT), TLS handshake, Client hello (1): * (304) (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=monitoring.example.com * start date: May 11 22:26:42 2019 GMT * expire date: May 8 22:26:42 2029 GMT * subjectAltName does not match monitoring.example.com * SSL: no alternative certificate subject name matches target host name 'monitoring.example.com' * stopped the pause stream! * Closing connection 0 * TLSv1.2 (OUT), TLS alert, Client hello (1): curl: (51) SSL: no alternative certificate subject name matches target host name 'monitoring.example.com'
目前 Logstash 沒有從 Filebeat 接收任何數據。
您缺少證書中的 SAN 記錄。
使用以下命令再次生成證書:
basename=/etc/elk-certs/monitoring-example-com
openssl req -newkey rsa:4096 -nodes -keyout $basename.key -subj "/CN=monitoring.example.com" -out $basename.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:monitoring.example.com") -sha256 -days 3650 -in $basename.csr -signkey $basename.key -out $basename.crt
我已經在
-sha256
上面添加了,但是如果您願意,可以將其刪除測試生成的證書:
openssl x509 -in $basename.crt -text -noout
應該有以下數據:
Subject: CN=monitoring.example.com X509v3 extensions: X509v3 Subject Alternative Name: DNS:monitoring.example.com
還要確保刪除那裡的評論:
# Certificate for SSL client authentication ssl.certificate: "/etc/elk-certs/monitoring-example-com.crt" # Client Certificate Key ssl.key: "/etc/elk-certs/monitoring-example-com.key"