con*_*ery 41 ubuntu ssl ssl-certificate tls logstash
我正在尝试设置 logstash 转发器,但是我在创建适当的安全通道时遇到了问题。尝试使用在 virtualbox 中运行的两台 ubuntu(服务器 14.04)机器进行配置。它们是 100% 干净的(未触及主机文件或安装除所需的 java、ngix、elasticsearch 等以外的任何其他软件包,用于 Logstash)
我不相信这是一个 logstash 问题,而是证书处理不当或在 logstash ubuntu 或转发器机器上设置不正确的东西。
我生成了密钥:
sudo openssl req -x509 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
我在logstash服务器上的输入conf:
input {
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
密钥被复制到转发器主机,它具有以下配置。
{
"network": {
"servers": [ "192.168.2.107:5000" ],
"timeout": 15,
"ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt"
"ssl key": "/etc/pki/tls/certs/logstash-forwarder.key"
},
"files": [
{
"paths": [
"/var/log/syslog",
"/var/log/auth.log"
],
"fields": { "type": "syslog" }
}
]
}
在运行 logstash 服务器时,我在转发器机器上“sudo service logstash-forwarder start”,给我以下重复错误:
Jul 9 05:06:21 ubuntu logstash-forwarder[1374]: 2014/07/09 05:06:21.589762 Connecting to [192.168.2.107]:5000 (192.168.2.107)
Jul 9 05:06:21 ubuntu logstash-forwarder[1374]: 2014/07/09 05:06:21.595105 Failed to tls handshake with 192.168.2.107 x509: cannot validate certificate for 192.168.2.107 because it doesn't contain any IP SANs
Jul 9 05:06:22 ubuntu logstash-forwarder[1374]: 2014/07/09 05:06:22.595971 Connecting to [192.168.2.107]:5000 (192.168.2.107)
Jul 9 05:06:22 ubuntu logstash-forwarder[1374]: 2014/07/09 05:06:22.602024 Failed to tls handshake with 192.168.2.107 x509: cannot validate certificate for 192.168.2.107 because it doesn't contain any IP SANs
正如我之前提到的,我不认为这是日志存储问题,而是证书/机器配置问题。问题是,我似乎无法解决它。希望这里的一些聪明人可以帮助我?
谢谢
Ste*_*ich 46
... 无法与 192.168.2.107 x509 tls 握手:无法验证 192.168.2.107 的证书,因为它不包含任何 IP SAN
SSL 需要对等方的标识,否则您的连接可能会针对解密+ 嗅探/修改数据的中间人,然后将它们再次加密转发到真正的目标。识别是使用 x509 证书完成的,这些证书需要针对受信任的 CA 进行验证,并且需要识别您想要连接的目标。
通常,目标以主机名的形式给出,并根据证书的主题和主题备用名称进行检查。在这种情况下,您的目标是一个 IP。成功验证证书后,IP 必须在主题备用名称部分内的证书中给出,但不是作为 DNS 条目(例如主机名)而是作为 IP。
所以你需要的是:
编辑您/etc/ssl/openssl.cnf 的logstash主机上-添加subjectAltName = IP:192.168.2.107的[v3_ca] 部分。
重新创建证书
将证书和密钥复制到两个主机
PS 考虑-days 365在证书创建命令行中添加或更多,因为默认证书有效期仅为 30 天,您可能不想每个月都重新创建它。
mic*_*lbn 12
在logstash github票证中提到了为伐木工人创建适当证书的脚本:SSL握手失败,因为IP SAN丢失
下载文件:
curl -O https://raw.githubusercontent.com/driskell/log-courier/1.x/src/lc-tlscert/lc-tlscert.go
...构建它:
go build lc-tlscert.go
..并运行:
./lc-tlscert
Specify the Common Name for the certificate. The common name
can be anything, but is usually set to the server's primary
DNS name. Even if you plan to connect via IP address you
should specify the DNS name here.
Common name: you_domain_or_whatever
The next step is to add any additional DNS names and IP
addresses that clients may use to connect to the server. If
you plan to connect to the server via IP address and not DNS
then you must specify those IP addresses here.
When you are finished, just press enter.
DNS or IP address 1: 172.17.42.1 (th ip address to trust)
DNS or IP address 2:
How long should the certificate be valid for? A year (365
days) is usual but requires the certificate to be regenerated
within a year or the certificate will cease working.
Number of days: 3650
Common name: what_ever
DNS SANs:
None
IP SANs:
172.17.42.1
The certificate can now be generated
Press any key to begin generating the self-signed certificate.
Successfully generated certificate
Certificate: selfsigned.crt
Private Key: selfsigned.key
Copy and paste the following into your Log Courier
configuration, adjusting paths as necessary:
"transport": "tls",
"ssl ca": "path/to/selfsigned.crt",
Copy and paste the following into your LogStash configuration,
adjusting paths as necessary:
ssl_certificate => "path/to/selfsigned.crt",
ssl_key => "path/to/selfsigned.key",
小智 8
我有一个真正的问题。我没有使用logstash,我只是想让IP SAN 与docker tls 一起使用。我将按照 https ( https://docs.docker.com/articles/https/ )上的 docker 文章中所述创建证书,然后当我从 docker 客户端连接时:
docker --tlsverify -H tcp://127.0.0.1:2376 version
我会得到这个错误:
...
FATA[0000] An error occurred trying to connect: Get https://127.0.0.1:2376/v1.16/version: \
x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs
这让我发疯。我承认,我在 openssl 的所有事情上都磕磕绊绊,所以,每个人都可能已经知道我发现了什么。此处(以及其他所有地方)的 subjectAltName 示例显示更新 openssl.cnf 文件。我无法让它发挥作用。我在 openssl.cnf 上做了一个定位,将其复制到本地目录,然后对其进行更改。当我检查证书时,它不包含扩展名:
openssl x509 -noout -text -in server-cert.pem
用于创建该证书的命令在这里(来自 docker 文章):
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem
您不能在此命令中添加 -config openssl.cnf 行,它无效。你也不能将 openssl.cnf 文件复制到当前目录,修改它,并希望让它以这种方式工作。几行之后,我注意到“客户端”证书使用 -extfile extfile.cnf。所以,我试过这个:
echo subjectAltName = IP:127.0.0.1 > extfile.cnf
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial \
-out server-cert.pem -extfile extfile.cnf
并修复了它。因此,无论出于何种原因,我的 openssl 版本不允许我修改 openssl.cnf 文件,但是,我可以像这样指定 subjectAltName。效果很好!
您可以指定任意数量的 IP 地址,例如 IP:127.0.0.1,IP:127.0.1.1(也非本地主机)。
| 归档时间: |
|
| 查看次数: |
120880 次 |
| 最近记录: |