在我之前的很多文章中,我基本上使用的 CA 证书来进行配置的。在很多其它的场合,我们可以使用 fingerprint 来进行连接。那么我们该如何得到并使用这个证书呢?
我们先安装之前的教程 “Elastic Stack 8.0 安装 - 保护你的 Elastic Stack 现在比以往任何时候都简单” 来安装好 Elasticsearch。我们可以在如下的安装目录中找到所有的证书信息:
`
1. $ pwd
2. /Users/liuxg/test/elasticsearch-8.4.3
3. $ ./bin/elasticsearch-keystore list
4. keystore.seed
5. xpack.security.http.ssl.keystore.secure_password
6. xpack.security.transport.ssl.keystore.secure_password
7. xpack.security.transport.ssl.truststore.secure_password
8. $ ./bin/elasticsearch-keystore show xpack.security.http.ssl.keystore.secure_password
9. 6ngKg4CZTYW0k_qM1hmZvw
10. $ cd config/certs/
11. $ ls
12. http.p12 http_ca.crt transport.p12
13. $ keytool -keystore http.p12 -list
14. Enter keystore password:
15. Keystore type: PKCS12
16. Keystore provider: SUN
18. Your keystore contains 2 entries
20. http, Oct 9, 2022, PrivateKeyEntry,
21. Certificate fingerprint (SHA-256): 27:FD:E0:B7:29:D3:74:73:D3:17:D4:90:EC:96:92:24:05:3E:88:71:CF:2B:1D:46:3D:D4:3F:3D:B1:A6:9A:08
22. http_ca, Oct 9, 2022, PrivateKeyEntry,
23. Certificate fingerprint (SHA-256): CC:F0:AA:AF:B9:45:4E:0A:6E:AC:8D:BA:4B:22:56:8B:B3:0C:C9:D2:C0:ED:4F:40:E2:74:8A:3E:C1:A7:AD:B2
`
如上所示,我们可以发现 CA 证书的 fingerprint。事实上,我们也可以直接从 http_ca.crt 文件了提前到这个 fingerprint:
openssl x509 -fingerprint -sha256 -noout -in http_ca.crt
1. $ openssl x509 -fingerprint -sha256 -noout -in http_ca.crt
2. sha256 Fingerprint=CC:F0:AA:AF:B9:45:4E:0A:6E:AC:8D:BA:4B:22:56:8B:B3:0C:C9:D2:C0:ED:4F:40:E2:74:8A:3E:C1:A7:AD:B2
上面也显示了这个 fingerprint。但是在实际的使用中,这个带有 : 符号的字符串,并不能直接使用。我们可以使用如下的命令来进行提取:
macOS
openssl x509 -in http_ca.crt -sha256 -fingerprint | grep sha256 | sed 's/://g'
1. $ openssl x509 -in http_ca.crt -sha256 -fingerprint | grep sha256 | sed 's/://g'
2. sha256 Fingerprint=CCF0AAAFB9454E0A6EAC8DBA4B22568BB30CC9D2C0ED4F40E2748A3EC1A7ADB2
Linux OS
openssl x509 -in http_ca.crt -sha256 -fingerprint | grep SHA256 | sed 's/://g'
一旦得到这个 fingerprint,我们可以在 Beats 里进行如下的配置:
filebeat.yml
1. output.elasticsearch:
2. # Array of hosts to connect to.
3. hosts: ["localhost:9200"]
5. # Protocol - either `http` (default) or `https`.
6. protocol: "https"
8. # Authentication credentials - either API key or username/password.
9. #api_key: "id:api_key"
10. username: "elastic"
11. password: "6bTlJp388KkgJKWi+hQr"
12. ssl.ca_trusted_fingerprint: "CCF0AAAFB9454E0A6EAC8DBA4B22568BB30CC9D2C0ED4F40E2748A3EC1A7ADB2"
在上面,我们配置 output.elasticsearch 部分。你们需要根据自己的配置进行相应的修改。保存好 filebeat.yml 文件,我们可以来进行测试:
`
1. $ pwd
2. /Users/liuxg/test/filebeat-8.4.3-darwin-aarch64
3. $ vi filebeat.yml
4. $ ./filebeat test output
5. elasticsearch: https://localhost:9200...
6. parse url... OK
7. connection...
8. parse host... OK
9. dns lookup... OK
10. addresses: ::1, 127.0.0.1
11. dial up... OK
12. TLS...
13. security: server's certificate chain verification is enabled
14. handshake... OK
15. TLS version: TLSv1.3
16. dial up... OK
17. talk to server... OK
18. version: 8.4.3
`
从上面的输出中我们可以看出来我们的配置是成功的。
