Opensearch错误:无法连接到Elastic服务器:x509证书由未知机构签署

huangapple go评论99阅读模式
英文:

Opensearch Error pinging Elastic server: x509 certificate signed by unknown authority

问题

我正在尝试使用Go语言构建一个Opensearch客户端。然而,在ping Opensearch服务器时遇到了一个错误。错误消息如下所示:

{"level":"error","time":"2023-04-28T02:29:00+03:00","message":"Failed to build ES client: error pinging elastic server: Get \"https://192.168.8.136:9200/\": x509: certificate signed by unknown authority"}
{"level":"error","time":"2023-04-28T02:29:00+03:00","message":"Failed to initialize service ===>: error possible due to certificate issue"}

我理解这个错误与SSL/TLS证书有关,该证书未被客户端信任。有人能提供一个可能解决这个问题的解决方案吗?我已经尝试禁用证书验证,但没有帮助。提前感谢您的帮助。

向chatgpt致敬,为我撰写了这个问题。

英文:

I am trying to build an Opensearch client using Go language. However, I am facing an error while pinging the Opensearch server. The error message is as follows:

{"level":"error","time":"2023-04-28T02:29:00+03:00","message":"Failed to build ES client: error pinging elastic server: Get \"https://192.168.8.136:9200/\": x509: certificate signed by unknown authority"}
{"level":"error","time":"2023-04-28T02:29:00+03:00","message":"Failed to initialize service ===>: error possible due to certificate issue"}

I understand that this error is related to the SSL/TLS certificate, which is not trusted by the client. Can anyone suggest a possible solution to resolve this issue? I have already tried disabling certificate validation, but it did not help. Thank you in advance for your help.

Kudos to chatgpt for writing the question for me.

答案1

得分: 2

这个配置意味着你允许服务器使用演示证书。但这并不改变演示证书在客户端中的不受信任的事实。如果你想让它工作,你可以配置客户端忽略证书错误:

package main

import (
	"crypto/tls"
	"fmt"
	"net/http"
	"net/http/httputil"
)

func main() {
	req, err := http.NewRequest("GET", "https://localhost:9200", nil)
	if err != nil {
		panic(err)
	}
	req.SetBasicAuth("admin", "admin")

	client := &http.Client{
		Transport: &http.Transport{
			TLSClientConfig: &tls.Config{
				InsecureSkipVerify: true,
			},
		},
	}
	res, err := client.Do(req)
	if err != nil {
		panic(err)
	}

	defer res.Body.Close()

	buf, err := httputil.DumpResponse(res, true)
	if err != nil {
		panic(err)
	}

	fmt.Printf("%s\n", buf)
}

InsecureSkipVerify: true 使客户端忽略证书错误。opensearch-go 包 可以接受相同的配置,如下所示:

cfg := opensearch.Config{
	// ...
	Transport: &http.Transport{
		TLSClientConfig: &tls.Config{
			InsecureSkipVerify: true,
		},
	},
}

另一个选项是修改 opensearch.yml 文件以在服务器上禁用 HTTPS:

plugins.security.ssl.http.enabled: false

注意:在生产环境中,不要忽略服务器证书错误或禁用 HTTPS。

英文:

> I expected this configuration to allow me with untrusted certs
>
>
> plugins.securtiy.allow_unsafe_democertificates=true
>

This configuration means that you allow the server to use the demo certificate. It does not change the fact that the demo certificate is untrusted by the client. If you want to make it work, you can configure the client to ignore certificate errors:

package main

import (
	"crypto/tls"
	"fmt"
	"net/http"
	"net/http/httputil"
)

func main() {
	req, err := http.NewRequest("GET", "https://localhost:9200", nil)
	if err != nil {
		panic(err)
	}
	req.SetBasicAuth("admin", "admin")

	client := &http.Client{
		Transport: &http.Transport{
			TLSClientConfig: &tls.Config{
				InsecureSkipVerify: true,
			},
		},
	}
	res, err := client.Do(req)
	if err != nil {
		panic(err)
	}

	defer res.Body.Close()

	buf, err := httputil.DumpResponse(res, true)
	if err != nil {
		panic(err)
	}

	fmt.Printf("%s\n", buf)
}

InsecureSkipVerify: true makes the client ignore the certificate errors. The opensearch-go package accepts the same configuration like this:

cfg := opensearch.Config{
	/// ...
	Transport: &http.Transport{
		TLSClientConfig: &tls.Config{
			InsecureSkipVerify: true,
		},
	},
}

Another options is to modify opensearch.yml to disable HTTPS on the server:

plugins.security.ssl.http.enabled: false

Note: Neither ignore server certificate errors nor disable HTTPS when go into production.

huangapple
  • 本文由 发表于 2023年4月28日 07:50:03
  • 转载请务必保留本文链接:https://go.coder-hub.com/76125365.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定