这篇文章我首先发布在Elastic Forum,因为要找到一个使能kibana 和 Elasticsearch 之间加密通信的方法,我发帖求助,其中一些人给了我错误的解答,Elasticsearch的在线文档有些内容没有讲清楚。我自己在论坛大侠的提示下,试了好几种方法才搞定。
我用的是Elasticsearch kibana 6.5, CentOS 7.
以下内容是全英文的,我也不想再翻译成中文,相信大家都能看懂。
(1) generate server certificate for kibana
Use elasticsearch-certutil in the installation directory of elasticsearch, since kibana installation directory has no such utility
details see: https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html
But you need to create a yml file for the setting of subject Alternative name, which is indispensable for TLS/SSL certification by chrome browser.
In my case, it is kibanacert.yml and its contents are:
instances:
- name: "kibana-server"
dns:
- "kibana.node.cn"Here “ kibana.node.cn” is the subject Alternative name.
Also, you need to specify --pem for the output of separate key and certificate files rather than a single .P12 file, from which cert and key files derived can’t be parsed by kibana ( it is probably a bug of kibana). In my case, it is:
$ elasticsearch-certutil cert --silent --pem --in kibanacert.yml --out kibana-server.zip
it would prompt you with password, you just input your password and it would succeed.
Now you have kibana-server.zip file, move it to kibana installation directory.
$unzip kibana-server.zip
it would create two new directories, one named ca for storing of ca.crt, which is “Elastic Certificate Tool Autogenerated CA”, the other named kibana-server for storing of kibana-server.crt which is the certificate of kibana server, and kibana-server.key, which is the private key of kibana server.
(2) Set kibana host address in kibana.yml
In the config/kibana.yml, Specifies the address to which the Kibana server will bind.
server.host: kibana.node.cn
Please note that it must be set the same as the subject Alternative name of the certificate generated above.
In root mode, add the host name in /etc/hosts, i.e. add one line with the ip address of the server followed by space and the host name, otherwise the browser can’t parse the host name.
10.xx.xx.xx kibana.node.cn
(3) Set server certificate and private key in kibana.yml
In config/kibana.yml , enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
server.ssl.enabled: true
server.ssl.certificate: /path to the certificate/kibana-server.crt
server.ssl.key: /path to the key/kibana-server.key(4) Configure Kibana to connect to Elasticsearch via HTTPS:
Just follow the steps in
https://www.elastic.co/guide/en/kibana/current/configuring-tls.html#configuring-tls
elasticsearch.ssl.certificateAuthorities:
must be the same as the one you created for elasticsearch.
(5) run bin/kibana
should run successfully
(6) import certificate files in chrome browser
Merge the certificate and key into one .p12 file
openssl pkcs12 -export -out kibana-server.p12 -inkey kibana-server.key -in kibana-server.crt
The kibana-server.p12 file is created.
In the Chrome Settins→Advanced→Manage certificate, in “Your certificate”, import the kibana-server.p12. In “Authorities”, import the ca.crt and select “Trust this certificate for identifying website”.
(7) run chrome browser
It would display a window for you to log-in If your Elasticsearch is protected with basic authentication or it would automatically connect to elasticsearch. Now it is done.
4049
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
