cerebro
cerebro copied to clipboard
lmenezes
how cerebro support connect to es using https
My es cluster enabled the TLS,and I can use right user name though the head plugins to connect to es.
But when I use cerebro(v0.9.1),login the web and the input the Node Address then clink the Connect button, The following is the Cerbero console's output. How do cerbero support the TLS/HTTPS?
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1439) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:878) at sun.security.ssl.Handshaker.process_record(Handshaker.java:814) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at com.mycompany.main(ClientCustomSSL.java:101) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1421) ... 20 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ... 26 more
Hi,
i have the same problem but i using cerebro with docker. Does anyone have a idea to set up https wither cerebro?
Thanks
You will need to add the elasticsearch certificates (from each node, or the CA used to generate said certificates) to the Play-WS default certificate trust store (${java.home}/lib/security/cacerts)
You can also explicitly configure one or more truststore(s) which contain the certificate(s):
play.ws.ssl {
trustManager = {
stores = [
{
type = "JKS",
path = "/path/to/truststore",
password = "truststore_password"
}
]
}
}
For us Java illiterate can you help explain how to get to the cacerts file? When I try it appears to be a binary file
Thank you
I did the following :
- in the application.conf ( with rpm at /etc/cerebro ), add the following to the end :
play.ws.ssl {
trustManager = {
stores = [
{ type = "PEM", path = "/etc/cerebro/elastic-stack-ca.pem" }
]
}
}
play.ws.ssl.loose.acceptAnyCertificate=true
- the pem file is the CA cert in PEM format. You can probably also use the CA p12 file used to setup ES security, but then change the 'type = "PEM"' part to 'type = "pkcs12"' .
And (re)start Cerebro.
Did it work @happyapple668 ?
Thanks for all responses, it would be good to have some piece of documentation in the README in this sense if anyone wants to add it :)
not only for cerebor,but for java/jvm ssl/https
- 1 trust esnode.pem keytool -importcert -trustcacerts -alias esnode.pem -file /root/esnode.pem -keystore $JAVA_HOME/lib/security/cacerts
root@5adf82daddf1:/opt/cerebro# keytool -importcert -trustcacerts -alias esnode.pem -file /root/esnode.pem -keystore /usr/local/openjdk-11/lib/security/cacerts
Warning: use -cacerts option to access cacerts keystore
Enter keystore password:
Owner: CN=node-0.example.com, OU=node, O=node, L=test, DC=de
Issuer: CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
Serial number: 162eb7353b6
Valid from: Sun Apr 22 03:43:47 UTC 2018 until: Wed Apr 19 03:43:47 UTC 2028
Certificate fingerprints:
SHA1: 70:DF:BD:E3:0D:A6:95:7E:3E:51:EC:86:CC:E7:28:8B:D1:26:CA:64
SHA256: 1D:9B:18:7B:27:9B:0D:38:21:76:5E:E0:77:89:0B:8B:48:50:24:E8:5D:76:4D:1B:4A:82:31:9C:FE:56:8A:90
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 92 35 0C E0 0F 1E 2B 45 F6 4D 39 F3 7B 5F A2 E6 .5....+E.M9.._..
0010: 12 97 40 73 ..@s
]
[CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com]
SerialNumber: [ 01]
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=true
ExtendedKeyUsages [
serverAuth
clientAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
]
#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
OIDName: 1.2.3.4.5.5
DNSName: node-0.example.com
DNSName: localhost
IPAddress: 127.0.0.1
]
#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AC AF EF C6 66 16 35 4A 33 D8 3B A4 C0 A8 9D 81 ....f.5J3.;.....
0010: FB 15 50 47 ..PG
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
esnode.pem for my case in ls /usr/share/elasticsearch/config/ elasticsearch.keystore elasticsearch.yml esnode-key.pem esnode.pem jvm.options jvm.options.d kirk-key.pem kirk.pem log4j2.properties opendistro-reports-scheduler root-ca.pem
- 2 add host
echo '172.17.0.4 node-0.example.com' >> /etc/hosts
hostname is in esnode.pem
Owner: CN=node-0.example.com, OU=node, O=node, L=test, DC=de
-
3 restart cerebor
-
4 add https
monitor https://node-0.example.com:9200 in cerebro
# Secret will be used to sign session cookies, CSRF tokens and for other encryption utilities.
# It is highly recommended to change this value before running cerebro in production.
secret = "ki:s:[[@=Ag?QI`W2jMwkY:eqvrJ]JqoJyi2axj3ZvOv^/KavOT4ViJSv?6YY4[N"
# Application base path
basePath = "/"
# Defaults to RUNNING_PID at the root directory of the app.
# To avoid creating a PID file set this value to /dev/null
#pidfile.path = "/var/run/cerebro.pid"
pidfile.path=/dev/null
# Rest request history max size per user
rest.history.size = 50 // defaults to 50 if not specified
# Path of local database file
#data.path: "/var/lib/cerebro/cerebro.db"
data.path = "./cerebro.db"
play {
# Cerebro port, by default it's 9000 (play's default)
server.http.port = ${?CEREBRO_PORT}
ws.ssl.loose.acceptAnyCertificate = true
}
es = {
gzip = true
}
# Authentication
auth = {
# either basic or ldap
type: ${?AUTH_TYPE}
settings {
# LDAP
url = ${?LDAP_URL}
# OpenLDAP might be something like "ou=People,dc=domain,dc=com"
base-dn = ${?LDAP_BASE_DN}
# Usually method should be "simple" otherwise, set it to the SASL mechanisms to try
method = ${?LDAP_METHOD}
# user-template executes a string.format() operation where
# username is passed in first, followed by base-dn. Some examples
# - %s => leave user untouched
# - %[email protected] => append "@domain.com" to username
# - uid=%s,%s => usual case of OpenLDAP
user-template = ${?LDAP_USER_TEMPLATE}
// User identifier that can perform searches
bind-dn = ${?LDAP_BIND_DN}
bind-pw = ${?LDAP_BIND_PWD}
group-search {
// If left unset parent's base-dn will be used
base-dn = ${?LDAP_GROUP_BASE_DN}
// Attribute that represent the user, for example uid or mail
user-attr = ${?LDAP_USER_ATTR}
// Define a separate template for user-attr
// If left unset parent's user-template will be used
user-attr-template = ${?LDAP_USER_ATTR_TEMPLATE}
// Filter that tests membership of the group. If this property is empty then there is no group membership check
// AD example => memberOf=CN=mygroup,ou=ouofthegroup,DC=domain,DC=com
// OpenLDAP example => CN=mygroup
group = ${?LDAP_GROUP}
}
# Basic auth
username = ${?BASIC_AUTH_USER}
password = ${?BASIC_AUTH_PWD}
}
}
# A list of known hosts
hosts = [
#{
# host = "http://localhost:9200"
# name = "Localhost cluster"
# headers-whitelist = [ "x-proxy-user", "x-proxy-roles", "X-Forwarded-For" ]
#}
# Example of host with authentication
{
host = "https://es01:9200"
name = "es-docker-cluster"
auth = {
username = "elastic"
password = "fakepwd"
}
}
]
this is my config: https://github.com/lmenezes/cerebro/issues/473#issuecomment-1190027252, maybe it is what you need.
