**** 如果方式适合安装时没有配置及证书相关配置,而安装后 进行的证书自签
一、自签证书
1、进入工作目录
进入容器,bin 目录下有生成证书的脚本,路径下文件展示如下(我这里是以 docker 容器部署的模式演示的)
[root@363474ada611 elasticsearch]# ll bin/ total 19604 -rwxr-xr-x. 1 elasticsearch root 1915 Mar 26 2020 elasticsearch -rwxr-xr-x. 1 elasticsearch root 491 Mar 26 2020 elasticsearch-certgen -rwxr-xr-x. 1 elasticsearch root 483 Mar 26 2020 elasticsearch-certutil # 生成秘钥的 -rwxr-xr-x. 1 elasticsearch root 982 Mar 26 2020 elasticsearch-cli -rwxr-xr-x. 1 elasticsearch root 433 Mar 26 2020 elasticsearch-croneval -rwxr-xr-x. 1 elasticsearch root 4316 Mar 26 2020 elasticsearch-env -rwxr-xr-x. 1 elasticsearch root 1828 Mar 26 2020 elasticsearch-env-from-file -rwxr-xr-x. 1 elasticsearch root 121 Mar 26 2020 elasticsearch-keystore -rwxr-xr-x. 1 elasticsearch root 440 Mar 26 2020 elasticsearch-migrate -rwxr-xr-x. 1 elasticsearch root 126 Mar 26 2020 elasticsearch-node -rwxr-xr-x. 1 elasticsearch root 172 Mar 26 2020 elasticsearch-plugin -rwxr-xr-x. 1 elasticsearch root 431 Mar 26 2020 elasticsearch-saml-metadata -rwxr-xr-x. 1 elasticsearch root 438 Mar 26 2020 elasticsearch-setup-passwords # 这个是设置密码用的 -rwxr-xr-x. 1 elasticsearch root 118 Mar 26 2020 elasticsearch-shard -rwxr-xr-x. 1 elasticsearch root 427 Mar 26 2020 elasticsearch-sql-cli -rwxr-xr-x. 1 elasticsearch root 19986912 Mar 26 2020 elasticsearch-sql-cli-7.6.2.jar -rwxr-xr-x. 1 elasticsearch root 426 Mar 26 2020 elasticsearch-syskeygen -rwxr-xr-x. 1 elasticsearch root 426 Mar 26 2020 elasticsearch-users # 用户管理 -rwxr-xr-x. 1 elasticsearch root 346 Mar 26 2020 x-pack-env -rwxr-xr-x. 1 elasticsearch root 354 Mar 26 2020 x-pack-security-env -rwxr-xr-x. 1 elasticsearch root 353 Mar 26 2020 x-pack-watcher-env
2、生成 ca 证书
先执行可执行文件: elasticsearch-certutil 生成 ca 证书文件
[root@6bebc53a88ac bin]# elasticsearch-certutil ca This tool assists you in the generation of X.509 certificates and certificate signing requests for use with SSL/TLS in the Elastic stack. The 'ca' mode generates a new 'certificate authority' This will create a new X.509 certificate and private key that can be used to sign certificate when running in 'cert' mode. Use the 'ca-dn' option if you wish to configure the 'distinguished name' of the certificate authority By default the 'ca' mode produces a single PKCS#12 output file which holds: * The CA certificate * The CA's private key If you elect to generate PEM format certificates (the -pem option), then the output will be a zip file containing individual files for the CA certificate and private key # 这里若不自定义文件名称的话直接回车,默认 elastic-stack-ca.p12 默认就行了 Please enter the desired output file [elastic-stack-ca.p12]: # 这里输入你要设置的密码,回车 Enter password for elastic-stack-ca.p12 :
3、配置证书
再执行命令:elasticsearch-certutil cert --ca elastic-stack-ca.p12
[root@1d8bdbc07715 bin]# elasticsearch-certutil cert --ca elastic-stack-ca.p12 This tool assists you in the generation of X.509 certificates and certificate signing requests for use with SSL/TLS in the Elastic stack. …………………………此处省略大量废话…………………………….. then the output will be be a zip file containing individual certificate/key files Enter password for CA (elastic-stack-ca.p12) : # 输入上一步执行时设置的密码 Please enter the desired output file [elastic-certificates.p12]: # 自定义证书文件名,默认就好了 Enter password for elastic-certificates.p12 : # 给证书文件设置密码,和上一步同一个密码即可 Certificates written to /usr/share/elasticsearch/elastic-certificates.p12 This file should be properly secured as it contains the private key for your instance. This file is a self contained file and can be copied and used 'as is' For each Elastic product that you wish to configure, you should copy this '.p12' file to the relevant configuration directory and then follow the SSL configuration instructions in the product guide. For client applications, you may only need to copy the CA certificate and configure the client to trust this certificate. [root@1d8bdbc07715 bin]#
4、查看证书生成结果
可看到生成的证书在这里: /usr/share/elasticsearch/ elastic-certificates.p12
[root@1d8bdbc07715 elasticsearch]# ls LICENSE.txt NOTICE.txt README.asciidoc bin config data elastic-certificates.p12 elastic-stack-ca.p12 jdk lib logs modules plugins
二、密码配置
设置密码:(bin 目录下),这里只允许配置系统用户的密码,用户密码需要使用 Kibana 中进行新增
1、可以查看命里帮助提示,执行如下命令
[root@9a6eebe7a6d7 bin]# elasticsearch-setup-passwords -h # 查看命令帮助解释
2、设置密码
[root@368f57c255c9 bin]# elasticsearch-setup-passwords interactive # interactive自定义密码 atuo 是随机密码 Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. You will be prompted to enter passwords as the process progresses. Please confirm that you would like to continue [y/N]y # 可以设置所有的用户都为一个密码,以下就是输入你需要设置的各个用户的密码了 Enter password for [elastic]: Reenter password for [elastic]: Enter password for [apm_system]: Reenter password for [apm_system]: Enter password for [kibana]: Reenter password for [kibana]: Enter password for [logstash_system]: Reenter password for [logstash_system]: Enter password for [beats_system]: Reenter password for [beats_system]: Enter password for [remote_monitoring_user]: Reenter password for [remote_monitoring_user]: Changed password for user [apm_system] Changed password for user [kibana] Changed password for user [logstash_system] Changed password for user [beats_system] Changed password for user [remote_monitoring_user] Changed password for user [elastic] [root@368f57c255c9 bin]#
标签:26,2020,Elasticsearch,elasticsearch,xr,签证,password,root From: https://www.cnblogs.com/Alay/p/17477191.html