证书生成工具(elasticsearch-certutil)
支持4种模式生成证书,下面以CA模式为例,
其他模式可参考https://blog.csdn.net/yi_qingjun/article/details/128742669
[root@ip elasticsearch]# bin/elasticsearch-certutil -h
Simplifies certificate creation for use with the Elastic Stack
Commands
--------
csr - generate certificate signing requests
cert - generate X.509 certificates and keys
ca - generate a new local certificate authority
http - generate a new certificate (or certificate request) for the Elasticsearch HTTP interface
Non-option arguments:
command
Option Description
------ -----------
-E <KeyValuePair> Configure a setting
-h, --help Show help
-s, --silent Show minimal output
-v, --verbose Show verbose output
生成CA证书
[root@ip elasticsearch]# bin/elasticsearch-certutil ca
生成p12密钥
[root@ip elasticsearch]# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
新增配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
##默认读config目录下,需要移动文件且赋权
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
verification_mode配置方式支持三种:
full,认证证书是否通过信任的CA证书签发,同时认证server的hostname 或者 IP 地址是否匹配证书中配置的
cretificate,只认证证书是否通过信任的CA证书签发的
none,什么也不认证,相当于关闭了SSL/TLS认证,仅用于你非常相信的安全的环境
默认情况下,elasticsearch-certutil生成的证书中没有主机名信息。这意味着可以为集群中的任意节点使用此证书,但是必须关闭主机名验证。
如果设置密码,需要给各节点加上密码
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
1输入密码:创建p12秘钥设置的密码(不是其他文章中提到的CA!!!),例如本样例中的123456
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
1输入密码:创建p12秘钥设置的密码(不是其他文章中提到的CA!!!),例如本样例中的123456
重启es集群
设置用户密码
./bin/elasticsearch-setup-passwords interactive
下面会要输入很多密码,都要自己能记住,以后要用
需要设置 elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
docker-compose启动添加kibana环境变量
- ELASTICSEARCH_HOSTS=["http://ip:9200","http://ip:19200","http://ip:29200"]
- ELASTICSEARCH_USERNAME="kibana"
- ELASTICSEARCH_PASSWORD="123456"
至此完成es集群内部安全通信,即9300端口通信加密
开启es集群外部安全通信,即9200端口通信加密
##新增配置
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12
如果设置密码,需要给各节点加上密码
./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
1输入密码:创建p12秘钥设置的密码(不是其他文章中提到的CA!!!),例如本样例中的123456
./bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
1输入密码:创建p12秘钥设置的密码(不是其他文章中提到的CA!!!),例如本样例中的123456
重启es集群
现在需要通过https方式访问
kibana相关配置
为kibana访问es进行配置(给kinbana生成pem)
[root@ip config]# openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elastic-ca.pem
Enter Import Password:p12秘钥密码
MAC verified OK
配置kibana
##需要赋权pem文件
elasticsearch.ssl.certificateAuthorities: [ "/usr/share/kibana/config/elastic-ca.pem" ]
elasticsearch.ssl.verificationMode: certificate
为kibana配置https,生成elastic-stack-ca.zip
[root@ip- elasticsearch]# bin/elasticsearch-certutil ca --pem
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.zip]:
对生成的elastic-stack-ca.zip进行解压,生成ca.crt 和 ca.key
配置kibana
##需要赋权
server.ssl.enabled: true
server.ssl.certificate: config/ca.crt
server.ssl.key: config/ca.key
