我一直在使用Elasticsearch Python API在集群上做一些基本操作(比如创建索引或列出它们(。一切正常,但我决定在集群上激活 SSL 身份验证,我的脚本不再工作。
我有以下错误:
Certificate did not match expected hostname: X.X.X.X. Certificate: {'subject': ((('commonName', 'X.X.X.X'),),), 'subjectAltName': [('DNS', 'X.X.X.X')]} GET https://X.X.X.X:9201/ [status:N/A request:0.009s] Traceback (most recent call last): File "/home/esadm/env/lib/python3.7/site-packages/urllib3/connectionpool.py", line 672, in urlopen
chunked=chunked, File "/home/esadm/env/lib/python3.7/site-packages/urllib3/connectionpool.py", line 376, in _make_request
self._validate_conn(conn) File "/home/esadm/env/lib/python3.7/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
conn.connect() File "/home/esadm/env/lib/python3.7/site-packages/urllib3/connection.py", line 386, in connect
_match_hostname(cert, self.assert_hostname or server_hostname) File "/home/esadm/env/lib/python3.7/site-packages/urllib3/connection.py", line 396, in _match_hostname
match_hostname(cert, asserted_hostname) File "/home/esadm/env/lib/python3.7/ssl.py", line 338, in match_hostname
% (hostname, dnsnames[0])) ssl.SSLCertVerificationError: ("hostname 'X.X.X.X' doesn't match 'X.X.X.X'",)
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/home/esadm/env/lib/python3.7/site-packages/elasticsearch/connection/http_urllib3.py", line 233, in perform_request
method, url, body, retries=Retry(False), headers=request_headers, **kw File "/home/esadm/env/lib/python3.7/site-packages/urllib3/connectionpool.py", line 720, in urlopen
method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2] File "/home/esadm/env/lib/python3.7/site-packages/urllib3/util/retry.py", line 376, in increment
raise six.reraise(type(error), error, _stacktrace) File "/home/esadm/env/lib/python3.7/site-packages/urllib3/packages/six.py", line 734, in reraise
raise value.with_traceback(tb) File "/home/esadm/env/lib/python3.7/site-packages/urllib3/connectionpool.py", line 672, in urlopen
chunked=chunked, File "/home/esadm/env/lib/python3.7/site-packages/urllib3/connectionpool.py", line 376, in _make_request
self._validate_conn(conn) File "/home/esadm/env/lib/python3.7/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
conn.connect() File "/home/esadm/env/lib/python3.7/site-packages/urllib3/connection.py", line 386, in connect
_match_hostname(cert, self.assert_hostname or server_hostname) File "/home/esadm/env/lib/python3.7/site-packages/urllib3/connection.py", line 396, in _match_hostname
match_hostname(cert, asserted_hostname) File "/home/esadm/env/lib/python3.7/ssl.py", line 338, in match_hostname
% (hostname, dnsnames[0])) urllib3.exceptions.SSLError: ("hostname 'X.X.X.X' doesn't match 'X.X.X.X'",)
我不明白的是这条消息没有任何意义:
"hostname 'X.X.X.X' doesn't match 'X.X.X.X'"
因为两个地址匹配,所以它们完全相同!
我已经遵循了文档,我对实例 Elasticsearch 的配置如下所示:
Elasticsearch([get_ip_address()],
http_auth=('elastic', 'pass'),
use_ssl=True,
verify_certs=True,
port=get_instance_port(),
ca_certs='ca.crt',
client_cert='pvln0047.crt',
client_key='pvln0047.key'
)
感谢您的帮助
问题解决了,问题出在构造函数中:
Elasticsearch([get_ip_address()],
http_auth=('elastic', 'pass'),
use_ssl=True,
verify_certs=True,
port=get_instance_port(),
ca_certs='ca.crt',
client_cert='pvln0047.crt',
client_key='pvln0047.key'
)
我没有提到我需要提及DNS 名称的 IP 地址,我还通过使用上下文对象更改了参数,只是为了遵循原始文档。
context = create_default_context(cafile="ca.crt")
context.load_cert_chain(certfile="pvln0047.crt", keyfile="pvln0047.key")
context.verify_mode = CERT_REQUIRED
Elasticsearch(['dns_name'],
http_auth=('elastic', 'pass'),
scheme="https",
port=get_instance_port(),
ssl_context=context
)
这就是我生成证书的方式:
bin/elasticsearch-certutil cert ca --pem --in /tmp/instance.yml --out /home/user/certs.zip
这是我的实例.yml文件:
instances:
- name: 'dns_name'
dns: [ 'dns_name' ]
希望,它会帮助某人!