通过证书配置集群间节点通信认证:

bin/elasticsearch -E node.name=node1 -E cluster.name=geektime -E path.data=node1_data -E http.port=9200 -E xpack.security.enabled=true -E xpack.security.transport.ssl.enabled=true -E xpack.security.transport.ssl.verification_mode=certificate -E xpack.security.transport.ssl.keystore.path=certs/elastic-certificates.p12 -E xpack.security.transport.ssl.truststore.path=/user/share/elasticsearch/certs/elastic-certificates.p12

报错信息:

java.security.AccessControlException: access denied ("java.io.FilePermission" "/usr/share/elasticsearch/certs" "read")
	at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
	at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
	at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:747)
	at java.base/sun.nio.fs.UnixPath.checkRead(UnixPath.java:810)
	at java.base/sun.nio.fs.UnixFileSystemProvider.exists(UnixFileSystemProvider.java:532)
	at java.base/java.nio.file.Files.exists(Files.java:2514)
	at org.elasticsearch.watcher.FileWatcher$FileObserver.init(FileWatcher.java:147)
	at org.elasticsearch.watcher.FileWatcher$FileObserver.access$000(FileWatcher.java:65)
	at org.elasticsearch.watcher.FileWatcher.doInit(FileWatcher.java:55)
	at org.elasticsearch.watcher.AbstractResourceWatcher.init(AbstractResourceWatcher.java:25)
	at org.elasticsearch.watcher.ResourceWatcherService.add(ResourceWatcherService.java:118)
	at org.elasticsearch.xpack.core.ssl.SSLConfigurationReloader.startWatching(SSLConfigurationReloader.java:103)
	at org.elasticsearch.xpack.core.ssl.SSLConfigurationReloader.<init>(SSLConfigurationReloader.java:47)
	at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:453)
	at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:298)
	at org.elasticsearch.node.Node.lambda$new$18(Node.java:605)
	at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273)
	at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
	at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
	at org.elasticsearch.node.Node.<init>(Node.java:609)
	at org.elasticsearch.node.Node.<init>(Node.java:278)
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:217)
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:217)
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:397)
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159)

各种尝试:授权文件777、把文件放在config/certs下、放在/opt/elaticsearch/certs下,都想不通,然后猜测可能是路径问题,于是不写绝对路径,指定相对路径,看看es从那个目录下获取,改了之后包如下错误,发现是从/etc/elasticsearch/certs下读取:

Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL TrustManager - truststore file [/etc/elasticsearch/certs/elastic-certificates.p12] does not exist
	at org.elasticsearch.xpack.core.ssl.TrustConfig.missingTrustConfigFile(TrustConfig.java:114) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:69) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:439) ~[?:?]
	at java.util.HashMap.computeIfAbsent(HashMap.java:1224) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:528) ~[?:?]
	at java.util.HashMap.forEach(HashMap.java:1425) ~[?:?]
	at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1521) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:526) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:144) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:454) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:298) ~[?:?]
	at org.elasticsearch.node.Node.lambda$new$18(Node.java:605) ~[elasticsearch-7.13.0.jar:7.13.0]
	at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273) ~[?:?]
	at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625) ~[?:?]
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]
	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
	at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682) ~[?:?]
	at org.elasticsearch.node.Node.<init>(Node.java:609) ~[elasticsearch-7.13.0.jar:7.13.0]
	at org.elasticsearch.node.Node.<init>(Node.java:278) ~[elasticsearch-7.13.0.jar:7.13.0]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:217) ~[elasticsearch-7.13.0.jar:7.13.0]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:217) ~[elasticsearch-7.13.0.jar:7.13.0]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:397) ~[elasticsearch-7.13.0.jar:7.13.0]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.13.0.jar:7.13.0]
	... 6 more
Caused by: java.nio.file.NoSuchFileException: /etc/elasticsearch/certs/elastic-certificates.p12
	at sun.nio.fs.UnixException.translateToIOException(UnixException.java:92) ~[?:?]
	at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) ~[?:?]
	at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[?:?]
	at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:219) ~[?:?]
	at java.nio.file.Files.newByteChannel(Files.java:375) ~[?:?]
	at java.nio.file.Files.newByteChannel(Files.java:426) ~[?:?]
	at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420) ~[?:?]
	at java.nio.file.Files.newInputStream(Files.java:160) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.TrustConfig.getStore(TrustConfig.java:96) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:66) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:439) ~[?:?]
	at java.util.HashMap.computeIfAbsent(HashMap.java:1224) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:528) ~[?:?]
	at java.util.HashMap.forEach(HashMap.java:1425) ~[?:?]
	at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1521) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:526) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:144) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:454) ~[?:?]
	at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:298) ~[?:?]
	at org.elasticsearch.node.Node.lambda$new$18(Node.java:605) ~[elasticsearch-7.13.0.jar:7.13.0]
	at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273) ~[?:?]
	at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625) ~[?:?]
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]
	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
	at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682) ~[?:?]
	at org.elasticsearch.node.Node.<init>(Node.java:609) ~[elasticsearch-7.13.0.jar:7.13.0]
	at org.elasticsearch.node.Node.<init>(Node.java:278) ~[elasticsearch-7.13.0.jar:7.13.0]
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:217) ~[elasticsearch-7.13.0.jar:7.13.0]
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:217) ~[elasticsearch-7.13.0.jar:7.13.0]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:397) ~[elasticsearch-7.13.0.jar:7.13.0]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.13.0.jar:7.13.0]
	... 6 more
uncaught exception in thread [main]
ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager - truststore file [/etc/elasticsearch/certs/elastic-certificates.p12] does not exist]; nested: NoSuchFileException[/etc/elasticsearch/certs/elastic-certificates.p12];
Likely root cause: java.nio.file.NoSuchFileException: /etc/elasticsearch/certs/elastic-certificates.p12
	at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
	at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:219)
	at java.base/java.nio.file.Files.newByteChannel(Files.java:375)
	at java.base/java.nio.file.Files.newByteChannel(Files.java:426)
	at java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420)
	at java.base/java.nio.file.Files.newInputStream(Files.java:160)
	at org.elasticsearch.xpack.core.ssl.TrustConfig.getStore(TrustConfig.java:96)
	at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:66)
	at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:439)
	at java.base/java.util.HashMap.computeIfAbsent(HashMap.java:1224)
	at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:528)
	at java.base/java.util.HashMap.forEach(HashMap.java:1425)
	at java.base/java.util.Collections$UnmodifiableMap.forEach(Collections.java:1521)
	at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:526)
	at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:144)
	at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:454)
	at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:298)
	at org.elasticsearch.node.Node.lambda$new$18(Node.java:605)
	at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273)
	at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
	at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
	at org.elasticsearch.node.Node.<init>(Node.java:609)
	at org.elasticsearch.node.Node.<init>(Node.java:278)
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:217)
	<<<truncated>>>

把证书复制到/etc/elasticsearch/certs下,重新启动,成功。

Logo

华为开发者空间,是为全球开发者打造的专属开发空间,汇聚了华为优质开发资源及工具,致力于让每一位开发者拥有一台云主机,基于华为根生态开发、创新。

更多推荐