2

csr ファイルに署名して、letsencrypt で署名付き証明書を取得し、Elasticsearch Shield で使用しようとしています。

csr ファイルの作成:

cd CONFIG_DIR/shield
keytool -importcert -keystore node01.jks -file letsencrypt_public.pem -alias letsencrypt
keytool -genkey -alias node01 -keystore node01.jks -keyalg RSA -keysize 2048 -validity 712 -ext san=dns:domain.com,ip:11.11.11.11
keytool -certreq -alias node01 -keystore node01.jks -file node01.csr -keyalg rsa -ext san=dns:domain.com,ip:11.11.11.11

letsencrypt 公式クライアントの使用:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help
sudo ./letsencrypt-auto auth --csr /etc/elasticsearch/shield/node01.csr

出力:

 etc/elasticsearch/shield/node01.csr
 Checking for new version...
 Requesting root privileges to run letsencrypt...
 /home/usera/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade auth --csr /etc/elasticsearch/shield/node01.csr
 No handlers could be found for logger "letsencrypt.crypto_util"
 An unexpected error occurred:
 The server experienced an internal error :: Error creating new cert
 Please see the logfiles in /var/log/letsencrypt for more details.

エラーログ:

raise errors.NoInstallationError
2016-02-21 12:24:30,042:DEBUG:letsencrypt.plugins.disco:Other error:   (PluginEntryPoint#webroot): Missing parts of webroot configuration; please   set either --webroot-path and --domains, or --webroot-map. Run with  -- help webroot for examples.
2016-02-21 12:24:34,354:DEBUG:root:Received <Response [500]>. Headers: {'Content-Length': '88', 'Expires': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Server': 'nginx', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 21 Feb 2016       12:24:33 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'ldZn123451Bb5D1234godjteu1VLjZ5o7eolv'}. Content: '{"type":"urn:acme:error:serverInternal","detail":"Error creating new cert","status":500}'
2016-02-21 12:24:34,354:DEBUG:acme.client:Received response <Response [500]> (headers: {'Content-Length': '88', 'Expires': 'Sun, 21 Feb 2016   12:24:33 GMT', 'Server': 'nginx', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 21   Feb 2016 12:24:33 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'ldZn123451Bb5D1234godjteu1VLjZ5ov'}):  '{"type":"urn:acme:error:serverInternal","detail":"Error creating new  cert","status":500}'
Error: urn:acme:error:serverInternal :: The server experienced an internal error :: Error creating new cert

Shieldが機能するようになったらnginxをシャットダウンすると思いますが、ここで何が問題なのですか? csr ファイルに署名できないのはなぜですか?

4

1 に答える 1

0

問題は、csr が間違った形式で生成されることでした。

シールドに sslを設定する完全な解決策は次のとおりです。

を。letsencrypt をインストールし、letsencrypt から public cacert.pem を取得します

    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
    ./letsencrypt-auto --help
    mkdir letsencrypt/public_pem
    mv /home/ubuntu/cacert.pem letsencrypt/public_pem

b. ノード キーストアを作成し、Java Keytool を使用して CA の証明書をインポートします。

    cd CONFIG_DIR/shield
    sudo keytool -importcert -keystore node01.jks -file /home/ubuntu/letsencrypt/public_pem/cacert.pem -alias letsencrypt

c. Java Keytool を使用して、ノードの秘密鍵と証明書を生成します。

    sudo keytool -genkey -alias node01 -keystore node01.jks -keyalg RSA -keysize 2048 -validity 712 -ext san=dns:domain.com

    Enter keystore password:                                                  
    What is your first and last name?                                          
      [Unknown]:  domain.com                                          
    What is the name of your organizational unit?                              
      [Unknown]:  domain.com                                                   
    What is the name of your organizational?                                    
      [Unknown]:  domain                                                       
    What is the name of your City or Locality?                               
      [Unknown]:  Tel Aviv                                                     
    What is the name of your State or Province?                                
      [Unknown]:                                                               
    What is the two-letter country code for this unit?                         
      [Unknown]:  IL                                                          
    Is CN=domain.com, OU=domain.com, O=domain, L=Tel Aviv, ST=Unknown,
     C=IL correct?                                                             
      [no]:  yes

d. 証明書署名要求 (CSR) を作成します。

    sudo keytool -certreq -alias node01 -keystore node01.jks -file node01.csr -keyalg rsa -ext san=dns:domain.com
    sudo openssl req -outform der -in node01.csr -out node01.der
    sudo openssl req -inform der -in node01.der -text -noout

e. 署名のために証明書を CA に送信します。

    cd letsencrypt
    ./letsencrypt-auto auth --csr /etc/elasticsearch/shield/node01.der

    Checking for new version...
    Requesting root privileges to run letsencrypt...
    sudo /home/ubuntu/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade auth --csr /etc/elasticsearch/shield/node01.der

    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at
    /home/ubuntu/letsencrypt/0001_chain.pem. Your cert will expire on
    2016-05-22. To obtain a new version of the certificate in the
    future, simply run Let's Encrypt again.

f. jks に追加し、yml を編集します。

    cd CONFIG_DIR/shield
    sudo keytool -importcert -keystore node01.jks -file /home/ubuntu/letsencrypt/0001_chain.pem -alias node01
    cd ..
    sudo nano elasticsearch.yml

    shield.ssl.keystore.path:          /etc/elasticsearch/shield/node01.jks
    shield.ssl.keystore.password:      pass
    shield.transport.ssl: true
    shield.http.ssl: true
    discovery.zen.ping_timeout: 30s

g. Elasticsearch を再起動します (nginx は必要ありません)。

于 2016-02-22T14:08:28.697 に答える