前言
因为官方自带的ca证书会过期,所以这里直接使用官网的第二种方法,新生成ca证书来更新证书,我这里是三个节点的es集群
这里官网实际生成了两个传输证书,一个http证书,一个ca公钥和私钥,实际使用传输证书只使用了一个
1.传输层证书
# 生成传输证书,使用原传输证书的密码,也可自定义设置(自定义设置密码请看最后面); elastic-stack-ca.p12,我这里实际未使用这个证书 **一个节点生成,分发到其他节点**
/usr/share/elasticsearch/bin/elasticsearch-certutil ca
# 生成新的ca证书,其有效期3年,也可以自定义生成 **一个节点生成,分发到其他节点 ca.crt**
/usr/share/elasticsearch/bin/elasticsearch-certutil ca --pem
# 自定义生成ca证书,有兴趣可以试试
# 生成 CA 私钥
openssl genrsa -out ca.key 2048
# 生成自签名的 CA 证书,有效期设为36500天
openssl req -x509 -new -nodes -key ca.key -sha256 -days 36500 -out ca.crt
# 将新的ca证书导入现有ca库以信任该证书; elastic-stack-ca.p12,我这里实际未使用这个证书 **每个节点**
/usr/share/elasticsearch/jdk/bin/keytool -importcert -trustcacerts -noprompt -keystore /etc/elasticsearch/certs/elastic-stack-ca.p12 -storepass <password> -alias new-ca -file /etc/elasticsearch/certs/ca.crt
# 检查是否已将新的 CA 证书添加到您的 信任库 elastic-stack-ca.p12,我这里实际未使用这个证书 **每个节点**
/usr/share/elasticsearch/jdk/bin/keytool -keystore /etc/elasticsearch/certs/elastic-stack-ca.p12 -list
# 使用新的 CA 证书和密钥,为您的节点创建新证书; elastic-certificates.p12,使用传输证书的密码 **分发至每个节点**
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /etc/elasticsearch/certs/ca.crt --ca-key /etc/elasticsearch/certs/ca.key
# 修改配置文件指向新生成的传输证书
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
# 查看密钥库
#curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic:fdsfjkhskdjh3443jhkj -XGET "https://192.172.81.179:9200/_ssl/certificates?pretty"
curl --cacert /etc/elasticsearch/certs/ca.crt -u elastic:fdsfjkhskdjh3443jhkj -XGET "https://192.172.81.179:9200/_ssl/certificates?pretty"
# [可选] 删除旧的ca证书
/usr/share/elasticsearch/jdk/bin/keytool -delete -noprompt -alias ca -keystore config/elastic-stack-ca.p12 -storepass <password>
2.http证书
# 运行 Elasticsearch HTTP 证书工具 使用原http证书的密码,也可自定义设置 **一个节点上运行(照官网操作),结果生成压缩包,将http证书分发至每个节点**
/usr/share/elasticsearch/bin/elasticsearch-certutil http
Generate a certificate per node 选择是需要为每个节点生成一个证书,否就是生成一个证书再自己复制到其他节点
主机名和ip名需要换行;<generate additional certificates>表示是否继续生成下一个节点的证书,不要输错了
192.172.81.179
192.172.81.180
192.172.81.181
# http证书分发到每个节点,修改对应配置文件,修改密码与主节点同步(3个密码),这里之前不知道第三个密码确实折磨了我一会
# 获取 http 密码
/usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.http.ssl.keystore.secure_password
# 获取 transport 密码
/usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.transport.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password
# 修改密码
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
# 修改配置文件指向新生成的http证书
# 最后需要修改证书用户组和读写权限与原证书一致
3.一些命令
# 查看es状态
curl --cacert /etc/elasticsearch/certs/ca.crt -XGET -u elastic:fdsfjkhskdjh3443jhkj 'https://192.172.81.179:9200'
# 查看节点状态
curl --cacert /etc/elasticsearch/certs/ca.crt -u elastic:fdsfjkhskdjh3443jhkj -XGET "https://192.172.81.179:9200/_cat/nodes?pretty"
# 查看索引
curl --cacert /etc/elasticsearch/certs/ca.crt -u elastic:fdsfjkhskdjh3443jhkj -XGET 'https://192.172.81.179:9200/enterprise_name_bigdata/_search?pretty'