Elasticsearch自签证书

**** 以下内容为比较早期的简单使用，比较劣质，证书相关具体请参考 elastic社区文章

一、自签证书

1、进入工作目录

进入容器，bin 目录下有生成证书的脚本，路径下文件展示如下（我这里是以 docker 容器部署的模式演示的，非容器环境下也是一样的，进入 bin 路径下即可）

[root@363474ada611 elasticsearch]# ll bin/
total 19604
-rwxr-xr-x. 1 elasticsearch root     1915 Mar 26  2020 elasticsearch
-rwxr-xr-x. 1 elasticsearch root      491 Mar 26  2020 elasticsearch-certgen
-rwxr-xr-x. 1 elasticsearch root      483 Mar 26  2020 elasticsearch-certutil                   # 生成秘钥的
-rwxr-xr-x. 1 elasticsearch root      982 Mar 26  2020 elasticsearch-cli
-rwxr-xr-x. 1 elasticsearch root      433 Mar 26  2020 elasticsearch-croneval
-rwxr-xr-x. 1 elasticsearch root     4316 Mar 26  2020 elasticsearch-env
-rwxr-xr-x. 1 elasticsearch root     1828 Mar 26  2020 elasticsearch-env-from-file
-rwxr-xr-x. 1 elasticsearch root      121 Mar 26  2020 elasticsearch-keystore
-rwxr-xr-x. 1 elasticsearch root      440 Mar 26  2020 elasticsearch-migrate
-rwxr-xr-x. 1 elasticsearch root      126 Mar 26  2020 elasticsearch-node
-rwxr-xr-x. 1 elasticsearch root      172 Mar 26  2020 elasticsearch-plugin
-rwxr-xr-x. 1 elasticsearch root      431 Mar 26  2020 elasticsearch-saml-metadata
-rwxr-xr-x. 1 elasticsearch root      438 Mar 26  2020 elasticsearch-setup-passwords     # 这个是设置密码用的
-rwxr-xr-x. 1 elasticsearch root      118 Mar 26  2020 elasticsearch-shard
-rwxr-xr-x. 1 elasticsearch root      427 Mar 26  2020 elasticsearch-sql-cli
-rwxr-xr-x. 1 elasticsearch root 19986912 Mar 26  2020 elasticsearch-sql-cli-7.6.2.jar
-rwxr-xr-x. 1 elasticsearch root      426 Mar 26  2020 elasticsearch-syskeygen
-rwxr-xr-x. 1 elasticsearch root      426 Mar 26  2020 elasticsearch-users               # 用户管理
-rwxr-xr-x. 1 elasticsearch root      346 Mar 26  2020 x-pack-env
-rwxr-xr-x. 1 elasticsearch root      354 Mar 26  2020 x-pack-security-env
-rwxr-xr-x. 1 elasticsearch root      353 Mar 26  2020 x-pack-watcher-env

2、生成证书

先执行可执行文件： elasticsearch-certutil 生成 ca 证书文件

[root@6bebc53a88ac bin]#  elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key


# 定义证书名称，这里若不自定义文件名称的话直接回车，默认 elastic-stack-ca.p12 默认就行了
Please enter the desired output file [elastic-stack-ca.p12]:
# 这里输入你要设置的 ca 证书的密码密码，回车（注意此处是 CA 证书密码，非用户密码）
Enter password for elastic-stack-ca.p12 :

3、生成 cert 证书

再执行命令：elasticsearch-certutil cert  --ca elastic-stack-ca.p12

[root@1d8bdbc07715 bin]# elasticsearch-certutil cert  --ca elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

…………………………此处省略大量废话……………………………..

then the output will be be a zip file containing individual certificate/key files

Enter password for CA (elastic-stack-ca.p12) :                              # 输入上一步执行时设置的密码
Please enter the desired output file [elastic-certificates.p12]:            # 自定义证书文件名，默认就好了
Enter password for elastic-certificates.p12 :                               # 给证书文件设置密码，和上一步同一个密码即可

Certificates written to /usr/share/elasticsearch/elastic-certificates.p12

This file should be properly secured as it contains the private key for 
your instance.

This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.

For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
[root@1d8bdbc07715 bin]# 

 4、生成 http 证书

根据上面同样的凡是，执行命令   elasticsearch-certutil http

 5、证书转换

生成证书中，我们生成的 CA 证书拓展名为 elastic-stack-ca.p12  有写场景需要将其转换为   elastic-stack-ca.crt

openssl pkcs12 -in elastic-stack-ca.p12 -clcerts -nokeys -out elastic-stack-ca.crt

 

6、查看证书生成结果

以下看到的证书中，我并没有生成 http 证书和  证书转换， /usr/share/elasticsearch/    elastic-certificates.p12

[root@1d8bdbc07715 elasticsearch]# ls
LICENSE.txt  NOTICE.txt  README.asciidoc  bin  config  data  elastic-certificates.p12  elastic-stack-ca.p12  jdk  lib  logs  modules  plugins

 

二、用户密码配置

设置密码：（bin 目录下），这里只允许配置系统用户的密码，用户密码需要使用 Kibana 中进行新增

1、可以查看命里帮助提示，执行如下命令

[root@9a6eebe7a6d7 bin]# elasticsearch-setup-passwords -h                    # 查看命令帮助解释

2、设置密码

[root@368f57c255c9 bin]# elasticsearch-setup-passwords interactive       # interactive自定义密码 atuo 是随机密码
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y

# 可以设置所有的用户都为一个密码，以下就是输入你需要设置的各个用户的密码了
Enter password for [elastic]: 
Reenter password for [elastic]: 
Enter password for [apm_system]: 
Reenter password for [apm_system]: 
Enter password for [kibana]: 
Reenter password for [kibana]: 
Enter password for [logstash_system]: 
Reenter password for [logstash_system]: 
Enter password for [beats_system]: 
Reenter password for [beats_system]: 
Enter password for [remote_monitoring_user]: 
Reenter password for [remote_monitoring_user]: 
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
[root@368f57c255c9 bin]#