日常记录：es TransportClient添加证书处理

背景

最近在搞es登录，不知道是不是低版本问题（6.8.12），开启登录之后springboot连接es，es一直报Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 45530000002c000000000000009108004d3603000016696e7465726e616c3a7463702f68616e647368616b650004bb91f302。

最新排查情况，es开启登录，没有springboot应用连接的话，es是没有没有报错的，结合异常信息9300、SSL/TLS协议，猜想是客户端连接没有设置证书，最后一番设置之后证实是连接没有设置证书问题。

另外，查询资料TransportClient 高版本是废弃的，但是6.8.12不高也不低，好像也没废弃，所以还是得对TransportClient 设置证书。

一、es elasticsearch.yml配置文件关于登录最新配置

#开启安全验证

xpack.security.enabled: true

#transport 开启ssl

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

#证书，自己生成吧，es自带工具能生成

xpack.security.transport.ssl.keystore.path: certs/elastic-stack-ca.p12

修改后重启es服务

二、springboot 关于es连接最新配置

maven spring-boot-starter-data-elasticsearch排除x-pack-transport模块，额外引入x-pack-transport6.8.12（版本按实际需求），这样引入才会有PreBuiltXPackTransportClient类，支持xpack相关配置属性。

...

<dependency>

<groupId>org.elasticsearch.client</groupId>

<artifactId>x-pack-transport</artifactId>

<version>6.8.12</version>

</dependency>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-data-elasticsearch</artifactId>

<exclusions>

<exclusion>

<groupId>org.elasticsearch.client</groupId>

<artifactId>x-pack-transport</artifactId>

</exclusion>

</exclusions>

</dependency>

...

yml：enabled控制是否需要配置TransportClient，capath是证书路径文件跟服务器一致就好，username、password稍微移动到ssl（相比之前的文章，当然位置自己随便写）

spring:

data:

elasticsearch:

cluster-name: es

cluster-nodes: xxxx:9300

rest:

uris: http://xxxx:9200

ssl:

enabled: true

username: elastic

password: 123456

capath: /xxxxx/elastic-stack-ca.p12

es 配置类，配置TransportClient对象，由spring.data.elasticsearch.rest.ssl.enabled控制是否需要配置，使用setting配置需要的连接属性

cluster.name:集群名字

xpack.security.user:账号密码

xpack.security.transport.ssl.enabled：开启ssl

xpack.security.transport.ssl.verification_mode：证书模式跟服务配置一致

xpack.security.transport.ssl.keystore.path:证书路径

xpack.security.transport.ssl.keystore.password：证书密码，生成证书时候有输入密码，需要一致

package com.xxxx.configuration;

import java.net.InetAddress;
import java.util.stream.Stream;

import org.apache.http.HttpHost;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.elasticsearch.client.RestClient;
import org.elasticsearch.client.RestClientBuilder;
import org.elasticsearch.client.RestHighLevelClient;
import org.elasticsearch.client.transport.TransportClient;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.elasticsearch.config.AbstractElasticsearchConfiguration;
import org.springframework.data.elasticsearch.core.ElasticsearchRestTemplate;

/**
 * 
 * 描述：elasticsearch配置
 * @author sakyoka
 * @date 2024年10月11日 下午3:47:19
 */
@Configuration
public class ElasticsearchConfiguration extends AbstractElasticsearchConfiguration {
	
	@Value("${spring.data.elasticsearch.cluster-name}")
	private String clusterName;
	
	@Value("${spring.data.elasticsearch.cluster-nodes}")
	private String clusterNodes;
	
	@Value("${spring.data.elasticsearch.rest.uris}")
	private String uris;
	
	@Value("${spring.data.elasticsearch.rest.ssl.username:}")
	private String username;
	
	@Value("${spring.data.elasticsearch.rest.ssl.password:}")
	private String password;
	
	@Value("${spring.data.elasticsearch.rest.ssl.capath:}")
	private String caPath;

    @Bean
    public ElasticsearchRestTemplate elasticsearchRestTemplate(RestHighLevelClient client) {
        return new ElasticsearchRestTemplate(elasticsearchClient());
    }
	
	@Override
	public RestHighLevelClient elasticsearchClient(){
		System.setProperty("es.set.netty.runtime.available.processors", "false");
		CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
		credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(username, password));
		RestClientBuilder builder = RestClient.builder(HttpHost.create(uris))
				.setHttpClientConfigCallback(http -> {
					return http.setDefaultCredentialsProvider(credentialsProvider);
				});
		return new RestHighLevelClient(builder);
	}
	
	@Bean
	@ConditionalOnProperty(name = "spring.data.elasticsearch.rest.ssl.enabled")
    public TransportClient transportClient() throws Exception {
        Settings settings = Settings.builder()
                .put("cluster.name", clusterName)
                .put("xpack.security.user", username + ":" + password)
                .put("xpack.security.transport.ssl.enabled", true)
                .put("xpack.security.transport.ssl.verification_mode", "certificate")
                .put("xpack.security.transport.ssl.keystore.path", caPath)
                .put("xpack.security.transport.ssl.keystore.password", password)
                .build();

        TransportClient client = new PreBuiltXPackTransportClient(settings);
        Stream.of(clusterNodes.split(",")).forEach(nodeName -> {
        	try {
				client.addTransportAddress(new TransportAddress(
						InetAddress.getByName(nodeName.split(":")[0]), Integer.valueOf(nodeName.split(":")[1])));
			} catch (Exception e) {
				throw new RuntimeException("es 注册节点：" + nodeName, e);
			}
        });
        return client;
    }
}

相关配置配置好之后启动应用，会发现es日志不再报Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:

总结：

万恶的版本，好多类缺失不兼容，搞了好久