配置ElasticSearch SSL和Python查询，证书问题

7gyucuyw 于 2023-03-28 发布在 Python

关注(0)|答案(1)|浏览(204)

我的ElasticSearch示例有来自GoDaddy的证书。我正在尝试设置它，下面我有SSL的配置。我可以通过浏览器轻松点击这个，一切都很好。如果我使用Python ElasticSearch包，那么我开始收到SSL错误，它“无法获得本地颁发者证书”。
我这样创建ElasticSearch连接对象：

import elasticsearch as es
obj = es.Elasticsearch('https://elasticsearch.foo.com:9200', http_auth=('elastic', 'password'))

除非我在函数调用中包含ca_certs='certs/gd_bundle-g2-g1.crt'，否则它会抛出一个错误。这些是来自GoDaddy的中间证书和根证书。在我看来，我必须在代码中包含对客户端这些证书的引用是非常错误的。这是正确的吗？难道xpack.security.http.ssl.certificate_authorities不应该覆盖这一点，也许会神奇地发送它们吗？

elasticsearch.yml

xpack.security.http.ssl.verification_mode: full
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.foo.key
    xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.foo.crt
    xpack.security.http.ssl.certificate_authorities: ["/usr/share/elasticsearch/config/gd_bundle-g2-g1.crt"]

    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch.foo.key
    xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.foo.crt
    xpack.security.transport.ssl.certificate_authorities: ["/usr/share/elasticsearch/config/gd_bundle-g2-g1.crt"]

没有ca_certs

>>> obj = es.Elasticsearch('https://elasticsearch.foo.com:9200', verify_certs=True, http_auth=('username', 'password'))
>>> obj.ping()

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/elastic_transport/_transport.py", line 329, in perform_request
    meta, raw_data = node.perform_request(
  File "/usr/local/lib/python3.8/site-packages/elastic_transport/_node/_http_urllib3.py", line 199, in perform_request
    raise err from None
elastic_transport.TlsError: TLS error caused by: SSLError([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125))
INFO

使用ca_certs

>>> obj = es.Elasticsearch('https://elasticsearch.foo.com:9200', verify_certs=True, http_auth=('username', 'password'), ca_certs='certs/gd_bundle-g2-g1.crt')
>>> obj.ping()

INFO:elastic_transport.transport:HEAD https://elasticsearch.foo.com:9200/ [status:200 duration:0.159s]
True

python

来源：https://stackoverflow.com/questions/75851481/configuring-elasticsearch-ssl-and-python-querying-certificates-question