Could not generate DH keypair

339 views

Skip to first unread message

Peng Wu

unread,

Aug 22, 2017, 7:39:27 AM8/22/17

to Search Guard Community Forum

```

# 将事件写入同一集群中的单独审核索引,<debug|internal_elasticsearch|external_elasticsearch|webhook>

searchguard.audit.type: internal_elasticsearch

# searchguard.audit.type: debug

# SearchGuard使用Elasticsearch REST API发送跟踪的事件

searchguard.audit.config.http_endpoints: es.cluster.com:6300,es.cluster.com:6301,es.cluster.com:6302,es.cluster.com:6303,es.cluster.com:6304

# 使用以下设置来控制SSL / TLS

searchguard.audit.config.enable_ssl: false

# 是否使用SSL / TLS。如果在接收群集的REST层上启用SSL / TLS，请将其设置为true。默认值为false。

searchguard.audit.config.verify_hostnames: false

# 是否验证接收集群的SSL / TLS证书的主机名。默认值为true。

searchguard.audit.config.enable_ssl_client_auth: true

# 如果在接收群集上启用了HTTP Basic auth，请使用这些设置指定审核日志模块应使用的用户名和密码

searchguard.audit.config.username: admin

searchguard.audit.config.password: admin

##### 管理员账号配置

searchguard.authcz.admin_dn:

- "CN=admin, OU=client, O=Nn, L=Hz, C=DE"

# Enable or disable node-to-node ssl encryption (default: true)

# `OPTIONAL` or `REQUIRED`

# searchguard.ssl.http.clientauth_mode: REQUIRED

###只使用http basic auth 未强制使用ssl

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_type: JKS

searchguard.ssl.http.keystore_filepath: node-0-keystore.jks

searchguard.ssl.http.keystore_password: asdfasdf

searchguard.ssl.http.truststore_type: JKS

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: asdfasdf

searchguard.ssl.http.enable_openssl_if_available: true

searchguard.ssl.http.enabled_protocols:

- "TLSv1"

- "TLSv1.1"

- "TLSv1.2"

###节点下放的是node-*，这里就写哪个

searchguard.ssl.transport.enabled: true

searchguard.ssl.transport.keystore_type: JKS

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: asdfasdf

searchguard.ssl.transport.truststore_type: JKS

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: asdfasdf

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.transport.enable_openssl_if_available: true

searchguard.ssl.transport.enabled_protocols:

- "TLSv1"

- "TLSv1.1"

- "TLSv1.2"

[19:31:45,701][WARN ] org.elasticsearch.com.floragunn.searchguard.ssl.util.SSLCertificateHelper - Certificate chain for alias admin contains a root certificate

[19:31:46,283][WARN ] org.elasticsearch.com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - [Lifeguard] exception caught on transport layer [[id: 0x13310487, /192.168.254.236:53623 => node-3.nuonuo.com/192.168.254.239:6300]], closing connection

java.lang.RuntimeException: Could not generate DH keypair

at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1476)

at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)

at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)

at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)

at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1219)

at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)

at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)

at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)

at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)

at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)

at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)

at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)

at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)

at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)

at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)

at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)

at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)

at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

at java.lang.Thread.run(Thread.java:748)

Caused by: java.lang.RuntimeException: Could not generate DH keypair

at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:142)

at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:114)

at sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:711)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:268)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)

at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)

at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416)

at org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1393)

at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1256)

... 18 more

Caused by: java.security.NoSuchAlgorithmException: DiffieHellman KeyPairGenerator not available

at java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:218)

at sun.security.ssl.JsseJce.getKeyPairGenerator(JsseJce.java:260)

at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:126)

... 28 more

[19:31:46,284][WARN ] org.elasticsearch.com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - [Lifeguard] exception caught on transport layer [[id: 0x19eb6f17, /192.168.254.236:55627 => node-2.nuonuo.com/192.168.254.238:6300]], closing connection