#ssl配置
/usr/share/elasticsearch/bin/elasticsearch-certutil http
#填写相关信息
该命令生成一个.zip包含用于Elasticsearch和Kibana的证书和密钥的文件。每个文件夹都包含一个README.txt解释如何使用这些文件。
当询问您是否要生成CSR时,输入n.
当询问您是否要使用现有的CA时,请输入y.
输入CA的路径。这是到的绝对路径elastic-stack-ca.p12为集群生成的文件。
输入您的CA的密码。
输入证书的到期值。您可以以年、月或天为单位输入有效期。例如,输入90D持续90天。
当询问您是否希望为每个节点生成一个证书时,请输入y.
每个证书都有自己的私钥,并且是为特定的主机名或IP地址颁发的。
出现提示时,输入集群中第一个节点的名称。使用您在以下情况下使用的相同节点名称生成节点证书.
输入用于连接到第一个节点的所有主机名。这些主机名将作为DNS名称添加到证书的主题备用名称(SAN)字段中。
列出用于通过HTTPS连接到您的集群的每个主机名和变体。
输入客户端可以用来连接到您的节点的IP地址。
对集群中的每个其他节点重复这些步骤。
#将私钥密码添加到Elasticsearch的安全设置中。
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
#elasticsearch 主配置文件添加即可
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
#es配置文件
node.name: es1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.1.149
http.port: 9200
discovery.seed_hosts: ["es1", "es2","es3"]
cluster.initial_master_nodes: ["es2", "es3"]
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-stack-ca.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-stack-ca.p12
#kibana https证书申请
[root@es1 kibana]# /usr/share/elasticsearch/bin/elasticsearch-certutil csr -name kibana-server -dns es.com,www.es.com
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'csr' mode generates certificate signing requests that can be sent to
a trusted certificate authority
* By default, this generates a single CSR for a single instance.
* You can use the '-multiple' option to generate CSRs for multiple
instances, each with their own private key.
* The '-in' option allows for the CSR generation to be automated
by describing the details of each instance in a YAML file
* An instance is any piece of the Elastic Stack that requires an SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
The 'csr' mode produces a single zip file which contains the certificate
signing requests and private keys for each instance.
* Each certificate signing request is provided as a standard PEM encoding of a PKCS#10 CSR.
* Each key is provided as a PEM encoding of an RSA private key
Please enter the desired output file [csr-bundle.zip]:
Certificate signing requests have been written to /usr/share/elasticsearch/csr-bundle.zip
This file should be properly secured as it contains the private keys for all
instances.
After unzipping the file, there will be a directory for each instance containing
the certificate signing request and the private key. Provide the certificate
signing requests to your certificate authority. Once you have received the
signed certificate, copy the signed certificate, key, and CA certificate to the
configuration directory of the Elastic product that they will be used for and
follow the SSL configuration instructions in the product guide.
[root@es1 kibana]# find / -name csr-bundle.zip
/usr/share/elasticsearch/csr-bundle.zip
[root@es1 kibana]# cd /usr/share/elasticsearch/
[root@es1 elasticsearch]# unzip csr-bundle.zip
Archive: csr-bundle.zip
creating: kibana-server/
inflating: kibana-server/kibana-server.csr
inflating: kibana-server/kibana-server.key
#生成crt
openssl x509 -req -days 1800 -in kibana-server.csr -signkey kibana-server.key -out kibana-server.crt
# kibana ssh 配置
server.port: 5601
server.host: "192.168.1.149"
server.name: "es1"
elasticsearch.hosts: ["https://192.168.1.149:9200"]
kibana.index: ".kibana"
elasticsearch.username: "elastic"
elasticsearch.password: "shanyao"
server.ssl.enabled: true
server.ssl.certificate: /usr/share/elasticsearch/kibana-server/kibana-server.crt
server.ssl.key: /usr/share/elasticsearch/kibana-server/kibana-server.key
elasticsearch.ssl.certificateAuthorities: [ "/usr/share/elasticsearch/kibana/elasticsearch-ca.pem" ]
elasticsearch.ssl.verificationMode: none
#重启kibana