Golang如何跳过证书认证连接云搜索服务 - 文章 - 开发者社区

问题描述

使用 go-elasticsearch 连接云搜索服务，报错如下：

cannot validate certificate for 111.xxx.xxx.xxx because it doesn't contain any IP SANs

[access notice] GET | /ccard/get_hot_resource | 127.0.0.1 | 200 | 406ms

问题分析

通过 https 协议访问云搜索服务的时候，证书颁发的 IP SANS 中并没有包含云搜索服务对外暴露的 I P地址

解决方案

通过跳过证书认证，使用 https 协议连接与云搜索服务通信。具体示例代码如下：

编写 go.mod 文件导入 go-elasticsearch 依赖包。

[root@iv-a8j78jje1ylrx9p4t93t my-elasticsearch-app]# cat go.mod
module my-elasticsearch-app
go 1.16
require github.com/elastic/go-elasticsearch/v7 v7.16.0

编写 main.go 文件实现连接测试连接。

package main

import (
   "crypto/tls"

   "crypto/x509"

   "flag"

   "fmt"

   "github.com/elastic/go-elasticsearch/v7"

   "io/ioutil"

   "log"

   "net"

   "net/http"

   "time"
)

func main() {

   var err error

   //insecure := flag.Bool("insecure-ssl", false, "Accept/Ignore all server SSL certificates")

   flag.Parse()

   // Get the SystemCertPool, continue with an empty pool on error

   rootCAs, _ := x509.SystemCertPool()

   if rootCAs == nil {

      rootCAs = x509.NewCertPool()

   }

   certs, err := ioutil.ReadFile("/etc/logstash/es_ca.cer") // /etc/logstash/es_ca.cer为服务页面中下载的ca文件

   if err != nil {

      log.Fatalf("Failed to append %q to RootCAs: %v", certs, err)

   }

   if ok := rootCAs.AppendCertsFromPEM(certs); !ok {

      log.Println("No certs appended, using system certs only")

   }

   cfg := elasticsearch.Config{

      Addresses: []string{

         "https://100.xxx.xxx.xxx:9200", //地址为云搜索服务访问的内网或者外网地址

      },

      Username: "admin",

      Password: " 密码",

      Transport: &http.Transport{

         MaxIdleConnsPerHost: 10,

         ResponseHeaderTimeout: time.Second,

         DialContext: (&net.Dialer{

            Timeout: 30 * time.Second,

            KeepAlive: 30 * time.Second,
         }).DialContext,

         TLSClientConfig: &tls.Config{

            InsecureSkipVerify: true, //跳过证书认证

            RootCAs: rootCAs,
         },
      },
   }

   client, err := elasticsearch.NewClient(cfg)

   if err != nil {

      log.Fatal(err)

   }

   fmt.Println(client.Info())

}

查看输出结果如下：

[root@iv-a8j78jje1ylrx9p4t93t my-elasticsearch-app]# go run main.go
[200 OK] {
  "name" : "es-master-s6avp377dc08jgct-2",
  "cluster_name" : "s6avp377dc08jgct",
  "cluster_uuid" : "Zsa3tv2LSU-jIwJrXMidGA",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}
 <nil>

参考文档

[1] https://github.com/elastic/go-elasticsearch 如果您有其他问题，欢迎您联系火山引擎技术支持服务