我已从 7.x 升级到 Elastic 8.x。现在我的弹性端点需要使用带有用户名、密码和 tls 证书的 https 进行连接。
参见示例此处。
如果我在 kubernetes 集群中使用此方法只是为了测试连接性,我可以从应用程序的容器中卷曲 Elastic 服务。首先,我必须导出 tls 证书并将证书复制到我的容器中。然后我可以卷曲服务(根据上面的链接):
curl --cacert tls.crt -u elastic: https://elasticsearch-cluster-es-http.eck:9200
{
"name" : "elasticsearch-cluster-es-default-1",
"cluster_name" : "elasticsearch-cluster",
"cluster_uuid" : "YqYl-gTpRd-URcoDhW5t1w",
"version" : {
"number" : "8.11.2",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "76013fa76dcbf144c886990c6290715f5dc2ae20",
"build_date" : "2023-12-05T10:03:47.729926671Z",
"build_snapshot" : false,
"lucene_version" : "9.8.0",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "You Know, for Search"
}
我现在如何更新我的 dotnet 记录器配置以处理新的 https、用户名:密码和 tls 证书要求?我尝试了以下方法但没有成功(也尝试了指纹):
var elasticOptions = new ElasticsearchSinkOptions(new Uri($"https://{elasticServer}"))
{
AutoRegisterTemplate = true,
IndexDecider = (@event, offset) =>
string.Format("{0}-{1}-{2:yyyy.MM.dd}", k8sNamespace, appName, offset),
ModifyConnectionSettings = (settings) =>
{
settings.EnableApiVersioningHeader();
settings.ClientCertificate(new X509Certificate2(crtBytes));
settings.BasicAuthentication("elastic", "<password>");
settings.DeadTimeout(TimeSpan.FromSeconds(300));
return settings;
}
};
我在我的应用程序中看到以下错误:
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot
点网8 serilog.sinks.elasticsearch:9.0.3 弹性搜索埃克:8.11.2
我通过从 Kubernetes 中获取 Elastic CA 密钥 (-es-http-ca-internal) 并将其添加到我的应用程序 docker 文件中的 ca-certificates.crt 文件中解决了这个问题:
# add ca cert
COPY docker/ca-certs/elastic.crt /app/elastic.crt
RUN cat /app/elastic.crt >> /etc/ssl/certs/ca-certificates.crt
上面的crtBytes是从公共crt秘密值(-es-http-certs-public)获取的
byte[] crtBytes = Encoding.ASCII.GetBytes("-----BEGIN CERTIFICATE-----\nMIIEqDCCA5CgA.....");
但是,我想我会采取同时禁用 tls 的方法,这样我就不必管理这些证书。
https://www.elastic.co/guide/en/cloud-on-k8s/master/k8s-tls-certificates.html#k8s-disable-tls