布署elasticsearch集群监控服务cerebro 访问https的证书问题

官网有更简单的办法 https://github.com/lmenezes/cerebro/issues/456

以下是我自已搞的办法,只对cerebro的场景而言不是很方便,但算是一个java/jvm栈通用的自签ssl证书https访问信任的解决办法

cerebro倒是可以访问https 但是opendistro es 默认集成的es 就是https服务,且是自签证书,这涉及到一个https证书认证的问题,未经机构认证的自签证书会报风险 浏览器的风险应该很熟悉了,手动操作,部分版本chrome浏览要求键盘输入thisisunsafe cerebro未信任则报错

[info] p.c.s.AkkaHttpServer - Listening for HTTP on /0.0.0.0:9000
[error] p.a.h.DefaultHttpErrorHandler -
! @7ipkmli1l - Internal server error, for (POST) [/connect] ->
play.api.UnexpectedException: Unexpected exception[ConnectException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target]
	at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:331)
	at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:253)
	at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:424)
	at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:420)
	at scala.concurrent.Future.$anonfun$recoverWith$1(Future.scala:417)
Caused by: java.net.ConnectException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certificat
ion path to requested target
	at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener.onFailure(NettyConnectListener.java:179)
	at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener$1.onFailure(NettyConnectListener.java:151)
	at play.shaded.ahc.org.asynchttpclient.netty.SimpleFutureListener.operationComplete(SimpleFutureListener.java:26)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:577)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:570)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)

切换为正式证书通过域名访问可以避免,在没有正式证书的前提下,需要手动操作信任,cerebro是java技术栈的服务,本质是个jvm进程

因为cerebro是jvm栈的服务统一用jvm添加证书信任的方式

/usr/local/openjdk-11/lib/security/cacerts

需要在 cerebro 信任证书才可以访问成功

keytool -list -cacerts -keystore $JAVA_HOME/lib/security/cacerts

$JAVA_HOME/lib/security/cacerts 的默认密码为 changeit

证书添加方式参考,添加信任后,cerebro即不会再报ssl相关错误,其他java类服务也是同理,若jvm服务通过docker布署,可以直接把证书打包进docker image

ws-xmlrpc - Using SSL (apache.org)

default passwd changeit

keytool -export -alias tomcat -rfc -file tomcat.crt

keytool -import -alias servercert -file tomcat.crt -keystore truststore

具体操作

  • 信任证书
    keytool -importcert -trustcacerts -alias esnode.pem -file /root/esnode.pem -keystore $JAVA_HOME/lib/security/cacerts

esnode.pem
ls /usr/share/elasticsearch/config/
elasticsearch.keystore elasticsearch.yml esnode-key.pem esnode.pem jvm.options jvm.options.d kirk-key.pem kirk.pem log4j2.properties opendistro-reports-scheduler root-ca.pem

  • 添加host域名解析

echo '172.17.0.4 node-0.example.com' >> /etc/hosts

Screen Shot 2021-03-21 at 11.27.29 AM

Screen Shot 2021-03-21 at 11.28.23 AM

  • restart cerebro

Screen Shot 2021-03-21 at 11.23.00 AM

End

posted @ 2021-03-21 11:38  cclient  阅读(647)  评论(0编辑  收藏  举报