elastic學習-elasticsearch8.5啟動控制檯內容

niewj發表於2022-12-29

[toc]

1. 不生成證書直接啟動

1.1 完整的控制檯資訊

直接啟動後控制檯會展示記錄一段關鍵資訊

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.

ℹ️  Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
  +H2hnvwZ2DmAHY1Eim_M

ℹ️  HTTP CA certificate SHA-256 fingerprint:
  d924ffb43dd09829e6f25156b2264dc5b8f5b1d119ac7e1bdde2dd0104776836

ℹ️  Configure Kibana to use this cluster:
• Run Kibana and click the configuration link in the terminal when Kibana starts.
• Copy the following enrollment token and paste it into Kibana in your browser (valid for the next 30 minutes):
  eyJ2ZXIiOiI4LjUuMiIsImFkciI6WyIyLjAuMC4xOjU5MjAwIl0sImZnciI6ImQ5MjRmZmI0M2RkMDk4MjllNmYyNTE1NmIyMjY0ZGM1YjhmNWIxZDExOWFjN2UxYmRkZTJkZDAxMDQ3NzY4MzYiLCJrZXkiOiJMWFZJVjRVQlVQN1dJOFdZREM2LTpRaTd6WGVHWFFTdS1hZEU1RFJ4Z3Z3In0=

ℹ️  Configure other nodes to join this cluster:
• On this node:
  ⁃ Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.
  ⁃ Uncomment the transport.host setting at the end of config/elasticsearch.yml.
  ⁃ Restart Elasticsearch.
• On other nodes:
  ⁃ Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

1.2 整體說明

  1. elastic賬號的預設密碼
  2. HTTP CA證書
  3. kibana訪問es的token
  4. 其他node加入當前node的cluster的token

1.3 記性不好我忘了,怎麼辦

  • 問題1. elastic賬號預設密碼我沒看到,清了, 怎麼辦?
  • 問題2. kibana訪問的token超過30分鐘了,怎麼辦?

1.4 重置密碼和token

1.4.1 重置密碼

執行中另開一個視窗, 使用下列命令可以重置一個密碼;

bin/elasticsearch-reset-password -u elastic

1.4.2 重置密碼-手動自定義密碼

互動式輸入密碼

bin/elasticsearch-reset-password --username elastic -i

1.5 kibana/其他node加入叢集

1.5.1 kibana加入叢集的token

(另開命令列執行)
  bin/elasticsearch-create-enrollment-token -s kibana --url "https://localhost:9200"

1.5.2 其他node加入叢集token

(另開命令列執行)
  bin/elasticsearch-create-enrollment-token -s node

2. 先生成證書再啟動

2.1 控制檯資訊

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.

ℹ️  Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
  DIsWATYoHD8gg8R7Cgdt

❌ Unable to generate an enrollment token for Kibana instances, try invoking `bin/elasticsearch-create-enrollment-token -s kibana`.

❌ An enrollment token to enroll new nodes wasn't generated. To add nodes and enroll them into this cluster:
• On this node:
  ⁃ Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.
  ⁃ Restart Elasticsearch.
• On other nodes:
  ⁃ Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

2.2 整體說明

只有一項: elasticsearch的密碼

  1. elastic賬號的預設密碼

為什麼?

  • kibana訪問,用證書
  • 其他node加入,用證書

3. 補充:生成證書全過程

3.1 簽發CA證書

bin\elasticsearch-certutil.bat ca

目錄下生成: elastic-stack-ca.p12

3.2 用CA證書生成節點證書

bin\elasticsearch-certutil.bat cert --ca elastic-stack-ca.p12

會生成: elastic-certificates.p12

注意: 一路回車不要密碼

3.3 將CA證書和節點證書mv到config/certs下

如題

3.4 簽發HTTP證書

互動過程如下:

bin\elasticsearch-certutil.bat http
# 不需要csr, 輸入n
Generate a CSR? [y/N]n
# 使用生成的CA整肅, 輸入y
Use an existing CA? [y/N]y
# 輸入CA路徑: 從certs開始
CA Path: certs/elastic-stack-ca.p12
# 沒有CA密碼,直接回車
Password for elastic-stack-ca.p12:
# 設定5年,預設,輸入:5y
For how long should your certificate be valid? [5y] 5y
# 是否需要每個節點都生成證書:輸入n
Generate a certificate per node? [y/N]n
# 輸入node名稱: hostname, 輸入後y確認
ZB-PF2P9LED
# 輸入ip: , 輸入後y確認
192.168.0.102
# 剛才這些配置還需要修改嗎? 輸入n
Do you wish to change any of these options? [y/N]n
# 不用密碼, 回車
Provide a password for the "http.p12" file:  [<ENTER> for none]
# 問要不要給http證書改名, 直接回車
What filename should be used for the output zip file? [D:\devs\elastic-safe\es8.5.2\elasticsearch-ssl-http.zip]
#最後:
Zip file written to D:\devs\elastic-safe\es8.5.2\elasticsearch-ssl-http.zip

3.5 證書放到certs目錄下

unzip elasticsearch-ssl-http.zip elasticsearch-ssl-http/
mv elasticsearch/http.p12 kibana/elasticsearch-ca.pem config/certs/
# 其餘的檔案刪掉即可

相關文章