ElasticSearch7.14配置SSL,使用https访问

  • A+
所属分类:系统文档

1、生成证书

备注:一定要在es用户中生成证书。

#1.生成elastic-stack-ca.p12文件

$./bin/elasticsearch-certutil ca

#2.生成elastic-certificates.p12文件,供elasticsearch使用

$./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

#3.生成newfile.crt.pem文件,供kibana和filebeat使用,复制到各自对应目录下

$openssl pkcs12 -in elastic-stack-ca.p12 -out newfile.crt.pem -clcerts -nokeys

#4.生成certificate-bundle.zip文件,包含ca/ca.crt,instance/instance.crt,instance/instance.key

$./bin/elasticsearch-certutil cert --pem elastic-stack-ca.p12

certificate-bundle.zip包含文件

Archive:  certificate-bundle.zip

   creating: ca/

  inflating: ca/ca.crt               

   creating: instance/

  inflating: instance/instance.crt   

  inflating: instance/instance.key

生成证书执行示例:

#1.生成elastic-stack-ca.p12文件

2、elasticsearch.yml配置文件

如只需http.ssl,那么只配http.ssl即可。

  1. cluster.initial_master_nodes: ["node-1"]

  2. xpack.security.enabled: true

  3. xpack.security.http.ssl.enabled: true

  4. xpack.security.http.ssl.keystore.path:/home/es/elasticsearch714/config/elastic-certificates.p12

  5. xpack.security.http.ssl.truststore.path:/home/es/elasticsearch714/config/elastic-certificates.p12

  6. xpack.security.transport.ssl.enabled: true

  7. xpack.security.transport.ssl.verification_mode: certificate

  8. xpack.security.transport.ssl.keystore.path:/home/es/elasticsearch714/config/elastic-certificates.p12

  9. xpack.security.transport.ssl.truststore.path:/home/es/elasticsearch714/config/elastic-certificates.p12

3、浏览器通过https访问

4、kibana配置通过https连接ES

3.1、复制newfile.crt.pem到kibana/config目录

  1. $cp newfile.crt.pem /home/kibana/

  2. $chown -R kibana:kibana newfile.crt.pem

3.2、kibana.yml配置文件,并重启kibana

  1. elasticsearch.hosts: ["https://10.1.1.197:9200"]

  2. elasticsearch.ssl.verificationMode: none

  3. elasticsearch.ssl.certificateAuthorities: ["/home/kibana/kibana-7.14.0/config/newfile.crt.pem"]

  4. #elasticsearch.preserveHost: true

  5. elasticsearch.username: "elastic"

  6. elasticsearch.password: "lianshi2020"

3.3、浏览器访问kibana,能够正确连接ES

参考:

https://www.freesion.com/article/57101027353/

配置过程中,遇到以下问题:

问题1:

Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]

Caused by: java.io.IOException: keystore password was incorrect

Caused by: java.io.IOException: keystore password was incorrect

解决方法:

1、一定在es用户中生成证书

2、重新执行生成证书,并且生成elastic-certificates.p12文件的密码不要写。

$./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12   再生成中设置密码不要写。

或者如果配置了密码,那么需要下面步骤

elasticsearch各节点为xpack.security.transport添加密码,上面的123456

bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

备注:

利用es自带的生成证书

1. 生成证书:

./bin/elasticsearch-certutil ca

中间会让输入路径跟密码,路径可以不输,直接回车,我们就假定密码就是:123456

完成后会生成一个文件:elastic-stack-ca.p12

2.生成秘钥

bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

中间需要输入刚才设置的密码就直接输入就可以了,需要输入路径的地方就直接回车,别输了,然后会生成一个文件:elastic-certificates.p12

这个就是ES的各个节点之间通信的凭证了。

这里说明一下,一个ES集群生成一个凭证就可以了,其他节点不许要生成凭证。

3、修改es配置文件

#启用安全验证
xpack.security.enabled: true
#启用内部通信安全认证
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-stack-ca.p12
xpack.security.transport.ssl.truststore.path: elastic-stack-ca.p12

4、elasticsearch各节点为xpack.security.transport添加密码,上面的123456

bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

  • 我的微信
  • 这是我的微信扫一扫
  • weinxin
  • 我的微信公众号
  • 我的微信公众号扫一扫
  • weinxin