-
AKS:1.20.7
-
Elasticsearch:7.12.0
-
客户端:openssl
问题描述
-
当PEM文件从云端下载并安装@/usr/share/elasticsearch/config/certs而没有自定义的elasticsearch映像时,集群无法上线
-
在图像构建过程中,可以使用自定义Elasticsearch图像和复制到/usr/share/Elasticsearch/config/certs的PEM文件
-
PEM文件使用CSI驱动程序从KeyVault下载
从云提供商下载的PEM文件(错误案例)
[elasticsearch@test-rp-search-master-0 ~]$ openssl s_client -connect 127.0.0.1:9200
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, ST = US, O = Self Signed, CN = test-rp-search-data
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = US, O = Self Signed, CN = test-rp-search-data
verify error:num=21:unable to verify the first certificate
verify return:1
140680078673728:error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet
invalid:crypto/rsa/rsa_pss.c:88:
140680078673728:error:1417B07B:SSL routines:tls_process_cert_verify:bad
signature:ssl/statem/statem_lib.c:505:
---
Certificate chain
0 s:C = US, ST = US, O = Self Signed, CN = test-rp-search-data
i:C = US, ST = US, O = Self Signed, CN = Research Platform Issuing CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEzDCCArSgAwIBAgIUIQThqQtH1QPR3YocBxLrrj+RQ9owDQYJKoZIhvcNAQEL
BQAwVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlVTMRQwEgYDVQQKDAtTZWxmIFNp
Elasticsearch自定义图像中的PEM文件(工作正常)
[elasticsearch@test-rp-search-master-0 ~]$ openssl s_client -connect 127.0.0.1:9200
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, ST = US, O = Self Signed, CN = test-rp-search-data
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = US, O = Self Signed, CN = test-rp-search-data
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:C = US, ST = US, O = Self Signed, CN = test-rp-search-data
i:C = US, ST = US, O = Self Signed, CN = Research Platform Issuing CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEzDCCArSgAwIBAgIUIQThqQtH1QPR3YocBxLrrj+RQ9YwDQYJKoZIhvcNAQEL
BQAwVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlVTMRQwEgYDVQQKDAtTZWxmIFNp