Ubuntu

為什麼 SSL 在我的 2 台伺服器之間不起作用?

  • May 22, 2019

我有 2 台裝有 Ubuntu 18.04 的伺服器:

  • monitoring.example.com(在單個伺服器上使用 ELK)
  • www.example.com(使用 Filebeat)

在伺服器 ELK 上

創建目錄來儲存 SSL 證書

$ sudo mkdir -p /etc/elk-certs

生成 SSL 證書

$ sudo openssl req -subj '/CN=monitoring.example.com/' -x509 -days 3650 -batch -nodes -newkey rsa:4096 -keyout /etc/elk-certs/monitoring-example-com.key -out /etc/elk-certs/monitoring-example-com.crt

更改所有者

$ sudo chown logstash /etc/elk-certs/monitoring-example-com.crt
$ sudo chown logstash /etc/elk-certs/monitoring-example-com.key

將 SSL 證書發送到客戶端伺服器

$ sudo scp /etc/elk-certs/monitoring-example-com.crt root@22.22.22.222:/tmp

在伺服器客戶端

創建用於儲存 SSL 證書的目錄

$ sudo mkdir -p /etc/elk-certs

將證書複製到目錄中

$ sudo mv /tmp/monitoring-example-com.crt /etc/elk-certs/

在伺服器 ELK 上

/etc/logstash/conf.d/logstash.conf這是伺服器 monitoring.example.com 上的配置文件:

input {
 beats {
   port => 5044
   ssl => true
   ssl_certificate => "/etc/elk-certs/monitoring-example-com.crt"
   ssl_key => "/etc/elk-certs/monitoring-example-com.key"      
 }
}
output {
 elasticsearch {
   hosts => ["localhost:9200"]
   manage_template => false
   index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
 }
}

重啟 Logstash

$ sudo systemctl restart logstash

在伺服器客戶端

/etc/filebeat/filebeat.yml這是伺服器 www.example.com 上的配置文件:

#----------------------------- Logstash output --------------------------------
output.logstash:
 # The Logstash hosts
 hosts: ["monitoring.example.com:5044"]

 # Optional SSL. By default is off.
 # List of root certificates for HTTPS server verifications
 ssl.certificate_authorities: ["/etc/elk-certs/monitoring-example-com.crt"]

 # Certificate for SSL client authentication
 #ssl.certificate: "/etc/elk-certs/monitoring-example-com.crt"

 # Client Certificate Key
 #ssl.key: "/etc/elk-certs/monitoring-example-com.key"

重啟 Filebeat

$ sudo systemctl restart filebeat

問題

$ curl -v --cacert /etc/elk-certs/monitoring-example-com.crt https://monitoring.example.com:5044

* Rebuilt URL to: https://monitoring.example.com:5044/
*   Trying 2001:43d9:363:1000::2b16...
* TCP_NODELAY set
*   Trying 51.95.207.228...
* TCP_NODELAY set
* Connected to monitoring.example.com (51.95.207.228) port 5044 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/elk-certs/monitoring-example-com.crt
 CApath: /etc/ssl/certs
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=monitoring.example.com
*  start date: May 11 22:26:42 2019 GMT
*  expire date: May  8 22:26:42 2029 GMT
*  subjectAltName does not match monitoring.example.com
* SSL: no alternative certificate subject name matches target host name 'monitoring.example.com'
* stopped the pause stream!
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (51) SSL: no alternative certificate subject name matches target host name 'monitoring.example.com'

目前 Logstash 沒有從 Filebeat 接收任何數據。

您缺少證書中的 SAN 記錄。

使用以下命令再次生成證書:

basename=/etc/elk-certs/monitoring-example-com

openssl req -newkey rsa:4096 -nodes -keyout $basename.key -subj "/CN=monitoring.example.com" -out $basename.csr

openssl x509 -req -extfile <(printf "subjectAltName=DNS:monitoring.example.com") -sha256 -days 3650 -in $basename.csr -signkey $basename.key -out $basename.crt

我已經在-sha256上面添加了,但是如果您願意,可以將其刪除

測試生成的證書:

openssl x509 -in $basename.crt -text -noout

應該有以下數據:

Subject: CN=monitoring.example.com

X509v3 extensions:
   X509v3 Subject Alternative Name:
       DNS:monitoring.example.com

還要確保刪除那裡的評論:

# Certificate for SSL client authentication
ssl.certificate: "/etc/elk-certs/monitoring-example-com.crt"

# Client Certificate Key
ssl.key: "/etc/elk-certs/monitoring-example-com.key"

引用自:https://serverfault.com/questions/967106