共计 3830 个字符,预计需要花费 10 分钟才能阅读完成。
[toc]
1. 不生成证书间接启动
1.1 残缺的控制台信息
间接启动后控制台会展现记录一段要害信息
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.
ℹ️ Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
+H2hnvwZ2DmAHY1Eim_M
ℹ️ HTTP CA certificate SHA-256 fingerprint:
d924ffb43dd09829e6f25156b2264dc5b8f5b1d119ac7e1bdde2dd0104776836
ℹ️ Configure Kibana to use this cluster:
• Run Kibana and click the configuration link in the terminal when Kibana starts.
• Copy the following enrollment token and paste it into Kibana in your browser (valid for the next 30 minutes):
eyJ2ZXIiOiI4LjUuMiIsImFkciI6WyIyLjAuMC4xOjU5MjAwIl0sImZnciI6ImQ5MjRmZmI0M2RkMDk4MjllNmYyNTE1NmIyMjY0ZGM1YjhmNWIxZDExOWFjN2UxYmRkZTJkZDAxMDQ3NzY4MzYiLCJrZXkiOiJMWFZJVjRVQlVQN1dJOFdZREM2LTpRaTd6WGVHWFFTdS1hZEU1RFJ4Z3Z3In0=
ℹ️ Configure other nodes to join this cluster:
• On this node:
⁃ Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.
⁃ Uncomment the transport.host setting at the end of config/elasticsearch.yml.
⁃ Restart Elasticsearch.
• On other nodes:
⁃ Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1.2 整体阐明
- elastic 账号的默认明码
- HTTP CA 证书
- kibana 拜访 es 的 token
- 其余 node 退出以后 node 的 cluster 的 token
1.3 忘性不好我忘了, 怎么办
- 问题 1. elastic 账号默认明码我没看到, 清了, 怎么办?
- 问题 2. kibana 拜访的 token 超过 30 分钟了, 怎么办?
1.4 重置明码和 token
1.4.1 重置明码
运行中另开一个窗口, 应用下列命令能够重置一个明码;
bin/elasticsearch-reset-password -u elastic1.4.2 重置明码 - 手动自定义明码
交互式输出明码
bin/elasticsearch-reset-password --username elastic -i1.5 kibana/ 其余 node 退出集群
1.5.1 kibana 退出集群的 token
(另开命令行执行)
bin/elasticsearch-create-enrollment-token -s kibana --url "https://localhost:9200"1.5.2 其余 node 退出集群 token
(另开命令行执行)
bin/elasticsearch-create-enrollment-token -s node2. 学生成证书再启动
2.1 控制台信息
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.
ℹ️ Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
DIsWATYoHD8gg8R7Cgdt
❌ Unable to generate an enrollment token for Kibana instances, try invoking `bin/elasticsearch-create-enrollment-token -s kibana`.
❌ An enrollment token to enroll new nodes wasn't generated. To add nodes and enroll them into this cluster:
• On this node:
⁃ Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.
⁃ Restart Elasticsearch.
• On other nodes:
⁃ Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━2.2 整体阐明
只有一项: elasticsearch 的明码
- elastic 账号的默认明码
为什么?
- kibana 拜访, 用证书
- 其余 node 退出, 用证书
3. 补充: 生成证书全过程
3.1 签发 CA 证书
bin\elasticsearch-certutil.bat ca目录下生成: elastic-stack-ca.p12
3.2 用 CA 证书生成节点证书
bin\elasticsearch-certutil.bat cert --ca elastic-stack-ca.p12会生成: elastic-certificates.p12
留神: 一路回车不要明码
3.3 将 CA 证书和节点证书 mv 到 config/certs 下
如题
3.4 签发 HTTP 证书
交互过程如下:
bin\elasticsearch-certutil.bat http
# 不须要 csr, 输出 n
Generate a CSR? [y/N]n
# 应用生成的 CA 整肃, 输出 y
Use an existing CA? [y/N]y
# 输出 CA 门路: 从 certs 开始
CA Path: certs/elastic-stack-ca.p12
# 没有 CA 明码, 间接回车
Password for elastic-stack-ca.p12:
# 设置 5 年, 默认, 输出:5y
For how long should your certificate be valid? [5y] 5y
# 是否须要每个节点都生成证书: 输出 n
Generate a certificate per node? [y/N]n
# 输出 node 名称: hostname, 输出后 y 确认
ZB-PF2P9LED
# 输出 ip: , 输出后 y 确认
192.168.0.102
# 方才这些配置还须要批改吗? 输出 n
Do you wish to change any of these options? [y/N]n
# 不必明码, 回车
Provide a password for the "http.p12" file: [<ENTER> for none]
# 问要不要给 http 证书改名, 间接回车
What filename should be used for the output zip file? [D:\devs\elastic-safe\es8.5.2\elasticsearch-ssl-http.zip]
#最初:
Zip file written to D:\devs\elastic-safe\es8.5.2\elasticsearch-ssl-http.zip3.5 证书放到 certs 目录下
unzip elasticsearch-ssl-http.zip elasticsearch-ssl-http/
mv elasticsearch/http.p12 kibana/elasticsearch-ca.pem config/certs/
# 其余的文件删掉即可
正文完
发表至: elasticsearch
2022-12-29
