- A+
1、生成证书
备注:一定要在es用户中生成证书。
#1.生成elastic-stack-ca.p12文件
$./bin/elasticsearch-certutil ca
#2.生成elastic-certificates.p12文件,供elasticsearch使用
$./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
#3.生成newfile.crt.pem文件,供kibana和filebeat使用,复制到各自对应目录下
$openssl pkcs12 -in elastic-stack-ca.p12 -out newfile.crt.pem -clcerts -nokeys
#4.生成certificate-bundle.zip文件,包含ca/ca.crt,instance/instance.crt,instance/instance.key
$./bin/elasticsearch-certutil cert --pem elastic-stack-ca.p12
certificate-bundle.zip包含文件
Archive: certificate-bundle.zip
creating: ca/
inflating: ca/ca.crt
creating: instance/
inflating: instance/instance.crt
inflating: instance/instance.key
生成证书执行示例:
#1.生成elastic-stack-ca.p12文件
2、elasticsearch.yml配置文件
如只需http.ssl,那么只配http.ssl即可。
cluster.initial_master_nodes: ["node-1"]
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path:/home/es/elasticsearch714/config/elastic-certificates.p12
xpack.security.http.ssl.truststore.path:/home/es/elasticsearch714/config/elastic-certificates.p12
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path:/home/es/elasticsearch714/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path:/home/es/elasticsearch714/config/elastic-certificates.p12
3、浏览器通过https访问
4、kibana配置通过https连接ES
3.1、复制newfile.crt.pem到kibana/config目录
$cp newfile.crt.pem /home/kibana/
$chown -R kibana:kibana newfile.crt.pem
3.2、kibana.yml配置文件,并重启kibana
elasticsearch.hosts: ["https://10.1.1.197:9200"]
elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: ["/home/kibana/kibana-7.14.0/config/newfile.crt.pem"]
#elasticsearch.preserveHost: true
elasticsearch.username: "elastic"
elasticsearch.password: "lianshi2020"
3.3、浏览器访问kibana,能够正确连接ES
参考:
https://www.freesion.com/article/57101027353/
配置过程中,遇到以下问题:
问题1:
Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]
Caused by: java.io.IOException: keystore password was incorrect
Caused by: java.io.IOException: keystore password was incorrect
解决方法:
1、一定在es用户中生成证书
2、重新执行生成证书,并且生成elastic-certificates.p12文件的密码不要写。
$./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 再生成中设置密码不要写。
或者如果配置了密码,那么需要下面步骤
elasticsearch各节点为xpack.security.transport添加密码,上面的123456
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
备注:
利用es自带的生成证书
1. 生成证书:
./bin/elasticsearch-certutil ca
中间会让输入路径跟密码,路径可以不输,直接回车,我们就假定密码就是:123456
完成后会生成一个文件:elastic-stack-ca.p12
2.生成秘钥
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
中间需要输入刚才设置的密码就直接输入就可以了,需要输入路径的地方就直接回车,别输了,然后会生成一个文件:elastic-certificates.p12
这个就是ES的各个节点之间通信的凭证了。
这里说明一下,一个ES集群生成一个凭证就可以了,其他节点不许要生成凭证。
3、修改es配置文件
#启用安全验证
xpack.security.enabled: true
#启用内部通信安全认证
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-stack-ca.p12
xpack.security.transport.ssl.truststore.path: elastic-stack-ca.p124、elasticsearch各节点为xpack.security.transport添加密码,上面的123456
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
- 我的微信
- 这是我的微信扫一扫
- 我的微信公众号
- 我的微信公众号扫一扫