[toc]
1. 不生成证书间接启动
1.1 残缺的控制台信息
间接启动后控制台会展现记录一段要害信息
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.
ℹ️ Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
+H2hnvwZ2DmAHY1Eim_M
ℹ️ HTTP CA certificate SHA-256 fingerprint:
d924ffb43dd09829e6f25156b2264dc5b8f5b1d119ac7e1bdde2dd0104776836
ℹ️ Configure Kibana to use this cluster:
• Run Kibana and click the configuration link in the terminal when Kibana starts.
• Copy the following enrollment token and paste it into Kibana in your browser (valid for the next 30 minutes):
eyJ2ZXIiOiI4LjUuMiIsImFkciI6WyIyLjAuMC4xOjU5MjAwIl0sImZnciI6ImQ5MjRmZmI0M2RkMDk4MjllNmYyNTE1NmIyMjY0ZGM1YjhmNWIxZDExOWFjN2UxYmRkZTJkZDAxMDQ3NzY4MzYiLCJrZXkiOiJMWFZJVjRVQlVQN1dJOFdZREM2LTpRaTd6WGVHWFFTdS1hZEU1RFJ4Z3Z3In0=
ℹ️ Configure other nodes to join this cluster:
• On this node:
⁃ Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.
⁃ Uncomment the transport.host setting at the end of config/elasticsearch.yml.
⁃ Restart Elasticsearch.
• On other nodes:
⁃ Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1.2 整体阐明
- elastic账号的默认明码
- HTTP CA证书
- kibana拜访es的token
- 其余node退出以后node的cluster的token
1.3 忘性不好我忘了,怎么办
- 问题1. elastic账号默认明码我没看到,清了, 怎么办?
- 问题2. kibana拜访的token超过30分钟了,怎么办?
1.4 重置明码和token
1.4.1 重置明码
运行中另开一个窗口, 应用下列命令能够重置一个明码;
bin/elasticsearch-reset-password -u elastic1.4.2 重置明码-手动自定义明码
交互式输出明码
bin/elasticsearch-reset-password --username elastic -i1.5 kibana/其余node退出集群
1.5.1 kibana退出集群的token
(另开命令行执行)
bin/elasticsearch-create-enrollment-token -s kibana --url "https://localhost:9200"1.5.2 其余node退出集群token
(另开命令行执行)
bin/elasticsearch-create-enrollment-token -s node2. 学生成证书再启动
2.1 控制台信息
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.
ℹ️ Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
DIsWATYoHD8gg8R7Cgdt
❌ Unable to generate an enrollment token for Kibana instances, try invoking `bin/elasticsearch-create-enrollment-token -s kibana`.
❌ An enrollment token to enroll new nodes wasn't generated. To add nodes and enroll them into this cluster:
• On this node:
⁃ Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.
⁃ Restart Elasticsearch.
• On other nodes:
⁃ Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━2.2 整体阐明
只有一项: elasticsearch的明码
- elastic账号的默认明码
为什么?
- kibana拜访,用证书
- 其余node退出,用证书
3. 补充:生成证书全过程
3.1 签发CA证书
bin\elasticsearch-certutil.bat ca目录下生成: elastic-stack-ca.p12
3.2 用CA证书生成节点证书
bin\elasticsearch-certutil.bat cert --ca elastic-stack-ca.p12会生成: elastic-certificates.p12
留神: 一路回车不要明码
3.3 将CA证书和节点证书mv到config/certs下
如题
3.4 签发HTTP证书
交互过程如下:
bin\elasticsearch-certutil.bat http
# 不须要csr, 输出n
Generate a CSR? [y/N]n
# 应用生成的CA整肃, 输出y
Use an existing CA? [y/N]y
# 输出CA门路: 从certs开始
CA Path: certs/elastic-stack-ca.p12
# 没有CA明码,间接回车
Password for elastic-stack-ca.p12:
# 设置5年,默认,输出:5y
For how long should your certificate be valid? [5y] 5y
# 是否须要每个节点都生成证书:输出n
Generate a certificate per node? [y/N]n
# 输出node名称: hostname, 输出后y确认
ZB-PF2P9LED
# 输出ip: , 输出后y确认
192.168.0.102
# 方才这些配置还须要批改吗? 输出n
Do you wish to change any of these options? [y/N]n
# 不必明码, 回车
Provide a password for the "http.p12" file: [<ENTER> for none]
# 问要不要给http证书改名, 间接回车
What filename should be used for the output zip file? [D:\devs\elastic-safe\es8.5.2\elasticsearch-ssl-http.zip]
#最初:
Zip file written to D:\devs\elastic-safe\es8.5.2\elasticsearch-ssl-http.zip3.5 证书放到certs目录下
unzip elasticsearch-ssl-http.zip elasticsearch-ssl-http/
mv elasticsearch/http.p12 kibana/elasticsearch-ca.pem config/certs/
# 其余的文件删掉即可
发表回复