0
我通过创建自签名证书来运行带有SSL的Elastic Search
实例。从R通过elastic
包连接时遇到问题。 这是我的进步:使用弹性R包中的自签名证书连接到安全弹性搜索
启用SSL,当我试图连接到弹性搜索实例后,我得到了以下错误:
$ curl -u $USER:$PASS 'https://localhost:9200/_cat/health?v'
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
可以明显看出,这个问题是因为该证书不是被信任。一种方法是将自签名证书添加到信任库,但我不知道它在哪里。其他方法是通过添加-k来跳过证书验证。但我想执行它。 因此,我发现了一个变通办法仅指定了root-ca.pem
如下:
$ curl -u $USER:$PASS 'https://localhost:9200/_cat/health?v' --cacert /home/user/root-ca.pem
epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1479462058 03:40:58 es-cluster yellow 1 1 365 365 0 0 364 0 - 50.1%
然后另一个SO问题帮我创建如下文件~/.curlrc
:
$ cat ~/.curlrc
capath=/home/user/
在那之后,我没有不得不甚至指定证书。
$ curl -u $USER:$PASS 'https://localhost:9200/_cat/health?v'
epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1479462172 03:42:52 es-cluster yellow 1 1 365 365 0 0 364 0 - 50.1%
所有好到现在,但现在当我试图从R
连接到弹性搜索。我收到下面的错误。
> library(elastic)
> connect(es_base = "https://localhost", es_port = 9200, es_user = USER, es_pwd = PASS)
Error:
Failed to connect to https://127.0.0.1:9200
Remember to start Elasticsearch before connecting
的日志报告unknown_ca
错误。 R包可能使用httr/curl来建立连接,但我无法弄清楚如何指定证书。 我参考了解决方案here,但它适用于RCurl
。
请建议。
版本:
- R:3.3.1
- R(弹性封装):0.7.8
- 弹性搜索:2.4.1
- 操作系统:RHEL 6.7
您正在寻找'cainfo' curl选项,我认为您还需要设置'ssl_verifypeer'和'ssl_verifyhost'。在'connect()'之后,传入其他函数,e,.g,'Search(config = list(cainfo =“/home/user/root-ca.pem”,ssl_verifypeer = 0,'ssl_verifyhost = 0)' – sckott
Thanks @sckott。你的建议有帮助。我会发表解答 – Sonny