ElasticSearch7.14配置SSL,使用https访问

1、生成证书

备注：一定要在es用户中生成证书。

#1.生成elastic-stack-ca.p12文件

$./bin/elasticsearch-certutil ca

#2.生成elastic-certificates.p12文件，供elasticsearch使用

$./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

#3.生成newfile.crt.pem文件，供kibana和filebeat使用，复制到各自对应目录下

$openssl pkcs12 -in elastic-stack-ca.p12 -out newfile.crt.pem -clcerts -nokeys

#4.生成certificate-bundle.zip文件，包含ca/ca.crt，instance/instance.crt，instance/instance.key

$./bin/elasticsearch-certutil cert --pem elastic-stack-ca.p12

certificate-bundle.zip包含文件

Archive:  certificate-bundle.zip

   creating: ca/

  inflating: ca/ca.crt               

   creating: instance/

  inflating: instance/instance.crt   

  inflating: instance/instance.key

生成证书执行示例：

#1.生成elastic-stack-ca.p12文件

2、elasticsearch.yml配置文件

如只需http.ssl，那么只配http.ssl即可。

cluster.name: myes

node.name: node-1

network.host: 0.0.0.0

http.port: 9200

cluster.initial_master_nodes: ["node-1"]

xpack.security.enabled: true



xpack.security.http.ssl.enabled: true

xpack.security.http.ssl.keystore.path:/home/es/elasticsearch714/config/elastic-certificates.p12

xpack.security.http.ssl.truststore.path:/home/es/elasticsearch714/config/elastic-certificates.p12



xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.keystore.path:/home/es/elasticsearch714/config/elastic-certificates.p12

xpack.security.transport.ssl.truststore.path:/home/es/elasticsearch714/config/elastic-certificates.p12

3、浏览器通过https访问

4、kibana配置通过https连接ES

3.1、复制newfile.crt.pem到kibana/config目录

#copy文件到kibana/config目录

$cp newfile.crt.pem /home/kibana/

#给该文件授权

$chown -R kibana:kibana newfile.crt.pem

3.2、kibana.yml配置文件，并重启kibana

server.port: 5601
server.host: "0.0.0.0"
server.name: "kibana"
elasticsearch.hosts: ["https://10.1.1.197:9200"]
elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: ["/home/kibana/kibana-7.14.0/config/newfile.crt.pem"]
#elasticsearch.preserveHost: true
#kibana.index: ".kibana"
#i18n.locale: "en"
elasticsearch.username: "elastic"
elasticsearch.password: "lianshi2020"

3.3、浏览器访问kibana，能够正确连接ES

参考：

https://www.freesion.com/article/57101027353/

配置过程中，遇到以下问题：

问题1：

Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]

Caused by: java.io.IOException: keystore password was incorrect

Caused by: java.io.IOException: keystore password was incorrect

解决方法：

1、一定在es用户中生成证书

2、重新执行生成证书，并且生成elastic-certificates.p12文件的密码不要写。

$./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12   再生成中设置密码不要写。