在 elastic 和 logstash 7.1.0 中启用 TLS/SSL

Question

我正在尝试将 logstash 连接到具有 TLS/SSL 的 elasticsearch-7.1.0 使用基本许可证启用。但是每次logstash绑定连接时 到弹性，“http客户端不信任此服务器的证书， 关闭连接Netty4HttpChannel”弹性抛出警告。

我已经使用 certutil 和 certgen 生成了证书，但我认为这两个证书都没有受信任的作者。如何生成一个 具有受信任作者的证书？ 或者可能是在基本许可证版本 elasticsearch-7.1.0 中我们可以将 TLS/SSL 用于 logstash 的场景？

My elasticsearch.yml 
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.key: path/to/the/key/ca.key
xpack.security.transport.ssl.certificate: path/to/the/cert/ca.crt
xpack.security.transport.ssl.certificate_authorities: [ 
"path/to/the/cert/ca.crt" ]

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificate 
xpack.security.http.ssl.truststore.path: certs/elastic-certificate
xpack.security.http.ssl.verification_mode: certificate
My logstash.yml
xpack.monitoring.enabled: false
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: changeit
xpack.monitoring.elasticsearch.hosts: ["https://localhost:9200"]

xpack.monitoring.elasticsearch.ssl.truststore.path:certs/elastic- 
certificate
xpack.monitoring.elasticsearch.ssl.truststore.password: password
xpack.monitoring.elasticsearch.ssl.keystore.path:certs/elastic- 
certificate
xpack.monitoring.elasticsearch.ssl.keystore.password: password
xpack.monitoring.elasticsearch.ssl.verification_mode: certificate

我收到的警告是——“http 客户端不信任此服务器的证书，正在关闭连接 Netty4HttpChannel”

Answer 1

尝试将ssl_certificate_verification => false 或CA 证书cacert => '/etc/elasticsearch/ca/key.pem' 的路径添加到logstash 配置中：

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    ssl => true

    ssl_certificate_verification => false
    #or
    cacert => '/etc/elasticsearch/ca/key.pem'
    }
}