[toc]
1. 不生成證書直接啟動
1.1 完整的控制檯資訊
直接啟動後控制檯會展示記錄一段關鍵資訊
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.
ℹ️ Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
+H2hnvwZ2DmAHY1Eim_M
ℹ️ HTTP CA certificate SHA-256 fingerprint:
d924ffb43dd09829e6f25156b2264dc5b8f5b1d119ac7e1bdde2dd0104776836
ℹ️ Configure Kibana to use this cluster:
• Run Kibana and click the configuration link in the terminal when Kibana starts.
• Copy the following enrollment token and paste it into Kibana in your browser (valid for the next 30 minutes):
eyJ2ZXIiOiI4LjUuMiIsImFkciI6WyIyLjAuMC4xOjU5MjAwIl0sImZnciI6ImQ5MjRmZmI0M2RkMDk4MjllNmYyNTE1NmIyMjY0ZGM1YjhmNWIxZDExOWFjN2UxYmRkZTJkZDAxMDQ3NzY4MzYiLCJrZXkiOiJMWFZJVjRVQlVQN1dJOFdZREM2LTpRaTd6WGVHWFFTdS1hZEU1RFJ4Z3Z3In0=
ℹ️ Configure other nodes to join this cluster:
• On this node:
⁃ Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.
⁃ Uncomment the transport.host setting at the end of config/elasticsearch.yml.
⁃ Restart Elasticsearch.
• On other nodes:
⁃ Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1.2 整體說明
- elastic賬號的預設密碼
- HTTP CA證書
- kibana訪問es的token
- 其他node加入當前node的cluster的token
1.3 記性不好我忘了,怎麼辦
- 問題1. elastic賬號預設密碼我沒看到,清了, 怎麼辦?
- 問題2. kibana訪問的token超過30分鐘了,怎麼辦?
1.4 重置密碼和token
1.4.1 重置密碼
執行中另開一個視窗, 使用下列命令可以重置一個密碼;
bin/elasticsearch-reset-password -u elastic1.4.2 重置密碼-手動自定義密碼
互動式輸入密碼
bin/elasticsearch-reset-password --username elastic -i1.5 kibana/其他node加入叢集
1.5.1 kibana加入叢集的token
(另開命令列執行)
bin/elasticsearch-create-enrollment-token -s kibana --url "https://localhost:9200"1.5.2 其他node加入叢集token
(另開命令列執行)
bin/elasticsearch-create-enrollment-token -s node2. 先生成證書再啟動
2.1 控制檯資訊
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.
ℹ️ Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
DIsWATYoHD8gg8R7Cgdt
❌ Unable to generate an enrollment token for Kibana instances, try invoking `bin/elasticsearch-create-enrollment-token -s kibana`.
❌ An enrollment token to enroll new nodes wasn't generated. To add nodes and enroll them into this cluster:
• On this node:
⁃ Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.
⁃ Restart Elasticsearch.
• On other nodes:
⁃ Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━2.2 整體說明
只有一項: elasticsearch的密碼
- elastic賬號的預設密碼
為什麼?
- kibana訪問,用證書
- 其他node加入,用證書
3. 補充:生成證書全過程
3.1 簽發CA證書
bin\elasticsearch-certutil.bat ca目錄下生成: elastic-stack-ca.p12
3.2 用CA證書生成節點證書
bin\elasticsearch-certutil.bat cert --ca elastic-stack-ca.p12會生成: elastic-certificates.p12
注意: 一路回車不要密碼
3.3 將CA證書和節點證書mv到config/certs下
如題
3.4 簽發HTTP證書
互動過程如下:
bin\elasticsearch-certutil.bat http
# 不需要csr, 輸入n
Generate a CSR? [y/N]n
# 使用生成的CA整肅, 輸入y
Use an existing CA? [y/N]y
# 輸入CA路徑: 從certs開始
CA Path: certs/elastic-stack-ca.p12
# 沒有CA密碼,直接回車
Password for elastic-stack-ca.p12:
# 設定5年,預設,輸入:5y
For how long should your certificate be valid? [5y] 5y
# 是否需要每個節點都生成證書:輸入n
Generate a certificate per node? [y/N]n
# 輸入node名稱: hostname, 輸入後y確認
ZB-PF2P9LED
# 輸入ip: , 輸入後y確認
192.168.0.102
# 剛才這些配置還需要修改嗎? 輸入n
Do you wish to change any of these options? [y/N]n
# 不用密碼, 回車
Provide a password for the "http.p12" file: [<ENTER> for none]
# 問要不要給http證書改名, 直接回車
What filename should be used for the output zip file? [D:\devs\elastic-safe\es8.5.2\elasticsearch-ssl-http.zip]
#最後:
Zip file written to D:\devs\elastic-safe\es8.5.2\elasticsearch-ssl-http.zip3.5 證書放到certs目錄下
unzip elasticsearch-ssl-http.zip elasticsearch-ssl-http/
mv elasticsearch/http.p12 kibana/elasticsearch-ca.pem config/certs/
# 其餘的檔案刪掉即可