elasticsearch-cert 使用 pem
生成根证书 /usr/share/elasticsearch/bin/elasticsearch-certutil ca --days 720 --pem
生成节点证书(因为 使用的是虚拟机,ip 会动态改变, 这里 在生成 节点证书时 不加入 dns, ip 等配置, 所以生成的这个证书多个节点可以共用 /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert ./ca/ca.crt --ca-key ./ca/ca.key --days 720 --pem
将 证书拷贝到各个节点 /etc/elasticsearch/x-pack/
xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.key: /etc/elasticsearch/x-pack/instance.key xpack.security.transport.ssl.certificate: /etc/elasticsearch/x-pack/instance.crt xpack.security.transport.ssl.certificate_authorities: [ “/etc/elasticsearch/x-pack/ca.crt” ]
xpack.security.http.ssl.enabled: true xpack.security.http.ssl.key: /etc/elasticsearch/x-pack/instance.key xpack.security.http.ssl.certificate: /etc/elasticsearch/x-pack/instance.crt xpack.security.http.ssl.certificate_authorities: [ “/etc/elasticsearch/x-pack/ca.crt”
步骤1-3参考configuring-tls]
像 2和3中的配置 没有问题, 但是 es 给我提供了一个 default tls/ssl 的配置 xpack.ssl.certificate xpack.ssl.certificate_authorities xpack.ssl.key 在 没有 配置 2和 3时, 这个 default 配置生效 xpack.ssl.certificate:/etc/elasticsearch/x-pack/instance.crt xpack.ssl.certificate_authorities: [ “/etc/elasticsearch/x-pack/ca.crt” xpack.ssl.key: /etc/elasticsearch/x-pack/instance.key
elasticsearch.url: “https://192.168.0.115:9200” elasticsearch.username: “kibana” elasticsearch.password: “123456” elasticsearch.ssl.certificateAuthorities: [ “/etc/kibana/x-pack/ca.crt” ] elasticsearch.ssl.verificationMode: certificate
elasticsearch.ssl.verificationMode不是必须的,默认为full, 因为生成证书的时候没有加入 dns, ip 等,这里 需要禁用verify host, 不然会报错 “elasticsearch http client did not trust this server’s certificate”
在这里需要为内置用户 生成密码,使用工具
bin/elasticsearch-setup-passwords interactive [参考](https://www.elastic.co/guide/en/elasticsearch/reference/7.4/built-in-users.html)
https://www.elastic.co/guide/en/elasticsearch/reference/7.4/built-in-users.html
先用 u:elastic p:123456 登录 然后创建用户名和密码
