关于elasticsearch:elastic学习elasticsearch85启动控制台内容

37次阅读

共计 3830 个字符,预计需要花费 10 分钟才能阅读完成。

[toc]

1. 不生成证书间接启动

1.1 残缺的控制台信息

间接启动后控制台会展现记录一段要害信息

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.

ℹ️  Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
  +H2hnvwZ2DmAHY1Eim_M

ℹ️  HTTP CA certificate SHA-256 fingerprint:
  d924ffb43dd09829e6f25156b2264dc5b8f5b1d119ac7e1bdde2dd0104776836

ℹ️  Configure Kibana to use this cluster:
• Run Kibana and click the configuration link in the terminal when Kibana starts.
• Copy the following enrollment token and paste it into Kibana in your browser (valid for the next 30 minutes):
  eyJ2ZXIiOiI4LjUuMiIsImFkciI6WyIyLjAuMC4xOjU5MjAwIl0sImZnciI6ImQ5MjRmZmI0M2RkMDk4MjllNmYyNTE1NmIyMjY0ZGM1YjhmNWIxZDExOWFjN2UxYmRkZTJkZDAxMDQ3NzY4MzYiLCJrZXkiOiJMWFZJVjRVQlVQN1dJOFdZREM2LTpRaTd6WGVHWFFTdS1hZEU1RFJ4Z3Z3In0=

ℹ️  Configure other nodes to join this cluster:
• On this node:
  ⁃ Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.
  ⁃ Uncomment the transport.host setting at the end of config/elasticsearch.yml.
  ⁃ Restart Elasticsearch.
• On other nodes:
  ⁃ Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

1.2 整体阐明

  1. elastic 账号的默认明码
  2. HTTP CA 证书
  3. kibana 拜访 es 的 token
  4. 其余 node 退出以后 node 的 cluster 的 token

1.3 忘性不好我忘了, 怎么办

  • 问题 1. elastic 账号默认明码我没看到, 清了, 怎么办?
  • 问题 2. kibana 拜访的 token 超过 30 分钟了, 怎么办?

1.4 重置明码和 token

1.4.1 重置明码

运行中另开一个窗口, 应用下列命令能够重置一个明码;

bin/elasticsearch-reset-password -u elastic

1.4.2 重置明码 - 手动自定义明码

交互式输出明码

bin/elasticsearch-reset-password --username elastic -i

1.5 kibana/ 其余 node 退出集群

1.5.1 kibana 退出集群的 token

(另开命令行执行)

  bin/elasticsearch-create-enrollment-token -s kibana --url "https://localhost:9200"

1.5.2 其余 node 退出集群 token

(另开命令行执行)

  bin/elasticsearch-create-enrollment-token -s node

2. 学生成证书再启动

2.1 控制台信息

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.

ℹ️  Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
  DIsWATYoHD8gg8R7Cgdt

❌ Unable to generate an enrollment token for Kibana instances, try invoking `bin/elasticsearch-create-enrollment-token -s kibana`.

❌ An enrollment token to enroll new nodes wasn't generated. To add nodes and enroll them into this cluster:
• On this node:
  ⁃ Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.
  ⁃ Restart Elasticsearch.
• On other nodes:
  ⁃ Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

2.2 整体阐明

只有一项: elasticsearch 的明码

  1. elastic 账号的默认明码

为什么?

  • kibana 拜访, 用证书
  • 其余 node 退出, 用证书

3. 补充: 生成证书全过程

3.1 签发 CA 证书

bin\elasticsearch-certutil.bat ca

目录下生成: elastic-stack-ca.p12

3.2 用 CA 证书生成节点证书

bin\elasticsearch-certutil.bat cert --ca elastic-stack-ca.p12

会生成: elastic-certificates.p12

留神: 一路回车不要明码

3.3 将 CA 证书和节点证书 mv 到 config/certs 下

如题

3.4 签发 HTTP 证书

交互过程如下:

bin\elasticsearch-certutil.bat http
# 不须要 csr, 输出 n
Generate a CSR? [y/N]n
# 应用生成的 CA 整肃, 输出 y
Use an existing CA? [y/N]y
# 输出 CA 门路: 从 certs 开始
CA Path: certs/elastic-stack-ca.p12
# 没有 CA 明码, 间接回车
Password for elastic-stack-ca.p12:
# 设置 5 年, 默认, 输出:5y
For how long should your certificate be valid? [5y] 5y
# 是否须要每个节点都生成证书: 输出 n
Generate a certificate per node? [y/N]n
# 输出 node 名称: hostname, 输出后 y 确认
ZB-PF2P9LED
# 输出 ip: , 输出后 y 确认
192.168.0.102
# 方才这些配置还须要批改吗? 输出 n
Do you wish to change any of these options? [y/N]n
# 不必明码, 回车
Provide a password for the "http.p12" file:  [<ENTER> for none]
# 问要不要给 http 证书改名, 间接回车
What filename should be used for the output zip file? [D:\devs\elastic-safe\es8.5.2\elasticsearch-ssl-http.zip]
#最初:
Zip file written to D:\devs\elastic-safe\es8.5.2\elasticsearch-ssl-http.zip

3.5 证书放到 certs 目录下

unzip elasticsearch-ssl-http.zip elasticsearch-ssl-http/
mv elasticsearch/http.p12 kibana/elasticsearch-ca.pem config/certs/
# 其余的文件删掉即可 

正文完
 0