Elasticsearch（一）：单节点安装并开启ssl

大家好，我是欧阳方超，可以扫描下方二维码关注我的公众号“欧阳方超”，后续内容将在公众号首发。

1、概述

在现代应用程序中，数据安全性至关重要。为了保护 Elasticsearch 中的数据传输，我们可以通过启用 SSL/TLS 加密来确保数据的安全性。本文将指导您如何在单节点 Elasticsearch 环境中开启 SSL，并配置证书。

2、安装

2.1、前期准备

在开始安装之前，请确保您的CentOS 7系统已更新，并安装了Java Runtime Environment (JRE)。从 Elasticsearch 7.0 开始,要求使用 Java 11 或更高版本。如果系统安装的是Java 8，那么Elasticsearch会给出下面一个警告，并选择使用自带的 JDK。

[esuser@localhost bin]$ ./elasticsearch
warning: ignoring JAVA_HOME=/root/jdk1.8.0_202; using bundled JDK

2.2、下载和解压Elasticsearch

将elasticsearch安装包移动到合适的目录，并进行解压：

[root@localhost software]# pwd
/software
[root@localhost software]# tar -zxvf elasticsearch-8.7.0-linux-x86_64.tar.gz

2.3、创建用户和配置权限

出于安全考虑，不建议以root用户运行Elasticsearch。您需要创建一个新的用户并设置相应的权限。
创建用户：esuser

[root@localhost bin]# useradd esuser
[root@localhost bin]#

设置密码：

[root@localhost bin]# passwd esuser
Changing password for user esuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@localhost bin]#

将es相关目录赋权给刚刚创建的esuser用户。

2.4、生成证书

2.4.1、创建CA（证书颁发机构）

ES中可以使用 elasticsearch-certutil命令生成证书，它的作用是负责生成CA并与CA签署证书。elasticsearch-certutil 可以创建一个证书颁发机构（CA）。CA 是一个可信任的实体，负责签署和验证证书。
下面是创建CA的命令及执行过程：

[esuser@localhost elasticsearch-8.7.0]$ ./bin/elasticsearch-certutil ca
warning: ignoring JAVA_HOME=/root/jdk1.8.0_202; using bundled JDK
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]:
Enter password for elastic-stack-ca.p12 :

该命令输出单一个PKCS#12文件，默认名称为elastic-stack-ca.p12，其中包含CA的公共证书和用于对证书签名的私钥。上面生成过程中文件名采用的默认的文件名——直接回车，密码也设置为空密码——直接回车。

2.4.2、与CA签署证书（生成节点证书）

接下来，使用生成的 CA 来为节点颁发证书：

./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

下面是关键执行过程：

By default the 'cert' mode produces a single PKCS#12 output file which holds:
    * The instance certificate
    * The private key for the instance certificate
    * The CA certificate

If you specify any of the following options:
    * -pem (PEM formatted output)
    * -multiple (generate multiple certificates)
    * -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files

Enter password for CA (elastic-stack-ca.p12) :
Please enter the desired output file [elastic-certificates.p12]:
Enter password for elastic-certificates.p12 :

Certificates written to /software/elasticsearch-8.7.0/elastic-certificates.p12

This file should be properly secured as it contains the private key for
your instance.
This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.

For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.

在此过程中，首先需要输入 CA 的密码（生成CA时设置的密码为空，所以这里也直接回车），其次指定节点证书的名称（这里以默认文件名进行生成，所以也直接回车），最后为节点证书设置一个新密码（这里也设置为空，所以也直接回车）。过程结束后生成了一个名称为elastic-certificates.p12的节点证书。

2.5、 为Elasticsearch配置 证书

要在单节点的 Elasticsearch 环境中配置证书以启用 TLS 安全性，需要编辑 elasticsearch.yml 配置文件并指定证书信息，启用安全性和 SSL/TLS 设置。确保以下配置项存在并正确设置：

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

上面的配置是以生成的elastic-certificates.p12文件被移动到elasticsearch的config目录下为前提的。出于合理性考虑，把生成的CA证书elastic-stack-ca.p12也最好移动到elasticsearch的config目录下。

2.6、启动 Elasticsearch

完成配置后，启动 Elasticsearch：

./bin/elasticsearch

这种方式是前台启动，如果没有看到报错信息的话就算启动成功了。
后台启动方式：

./bin/elasticsearch -d

这种方式日志往命令行打印完后，会退出命令行。

2.7、测试连接

2.7.1、连接被拒

此时通过浏览器连接https://ip:9200，发现拒绝了连接：

这是因为没有在elasticsearch.yml配置文件中设置允许远程连接，将network.host改为如下值：

network.host: 0.0.0.0

2.7.2、设置初始主结点

再次以前台方式启动elasticsearch，比较遗憾的是报错了：

[2024-08-29T23:26:35,837][ERROR][o.e.b.Elasticsearch      ] [localhost.localdomain] node validation exception
[1] bootstrap checks failed. You must address the points described in the following [1] lines before starting Elasticsearch.
bootstrap check failure [1] of [1]: the default discovery settings are unsuitable for production use; at least one of [discovery.seed_hosts, discovery.seed_providers, cluster.initial_master_nodes] must be configured
ERROR: Elasticsearch did not exit normally - check the logs at /software/elasticsearch-8.7.0/logs/elasticsearch.log

discovery.seed_hosts、discovery.seed_providers 和 cluster.initial_master_nodes 这三个配置项在 Elasticsearch中用于集群发现和初始化，由于我们这里是单节点方式安装的，所以只配置 cluster.initial_master_nodes即可，比如可以把该项配置为如下形式：

cluster.initial_master_nodes: ["node-1"]

2.7.3、开启ssl

再次以前台方式启动elasticsearch，使用浏览器访问时又报错：

原因是未启用客户端与elasticsearch服务端通信的ssl，在配置文件中添加如下配置：

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12

再次启动elasticsearch，浏览器再次访问与elasticsearch通信的接口，熟悉的画面终于出现了：

接着从“高级”可以进入登录页面：

2.7.4、设置密码

elasticsearch内置了一些用户，其中一个是elastic，但是密码是不知道，好在可以使用 elasticsearch-setup-passwords 工具以交互方式设置或修改内置用户的密码。命令如下：

[esuser@localhost elasticsearch-8.7.0]$ ./bin/elasticsearch-setup-passwords interactive

很遗憾也报错了：

warning: ignoring JAVA_HOME=/root/jdk1.8.0_202; using bundled JDK
01:30:33.206 [main] WARN  org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [192.168.25.136]; the server provided a certificate with subject name [CN=instance], fingerprint [b8c0b762603c223ae3bcf8481bb5715954162805], no keyUsage and no extendedKeyUsage; the certificate is valid between [2024-08-30T02:58:59Z] and [2027-08-30T02:58:59Z] (current time is [2024-08-30T05:30:33.199963023Z], certificate dates are valid); the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate does not have any subject alternative names; the certificate is issued by [CN=Elastic Certificate Tool Autogenerated CA]; the certificate is signed by (subject [CN=Elastic Certificate Tool Autogenerated CA] fingerprint [c3651acf6862859180807b3ce01037193102a5a0] {trusted issuer}) which is self-issued; the [CN=Elastic Certificate Tool Autogenerated CA] certificate is trusted in this ssl context ([xpack.security.http.ssl (with trust configuration: StoreTrustConfig{path=elastic-certificates.p12, password=<empty>, type=PKCS12, algorithm=PKIX})])
java.security.cert.CertificateException: No subject alternative names present

这是因为，证书缺少 Subject Alternative Names (SAN)，这个问题以后再详细解释。要解决这个问题，需要使用之前生成的CA重新签发证书，并额外加上一些参数，具体命令如下：

./bin/elasticsearch-certutil cert --ca ./config/elastic-stack-ca.p12 --name instance --ip 192.168.25.136 --dns localhost

将新生成的结点证书（以上的命令会生成一个名为instance.p12的证书）移动到elasticsearch的confi中，并在elasticsearch.yml中重新配置证书的路径，重启elasticsearch，此时可以为elasticsearch用户设置密码了：

[root@localhost elasticsearch-8.7.0]# ./bin/elasticsearch-setup-passwords interactive
warning: ignoring JAVA_HOME=/root/jdk1.8.0_202; using bundled JDK
******************************************************************************
Note: The 'elasticsearch-setup-passwords' tool has been deprecated. This       command will be removed in a future release.
******************************************************************************

Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana_system]:
Reenter password for [kibana_system]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

可以看到此命令要求我们为包括elastic在内的所有用户设置密码，方便起见，这里密码全设置为123456。

2.7.5、最终连通

此时在登录页输入elastic/123456，终于通过接口见到了elasticsearch的信息：

至此，连接终于通了。
最后完整展示一下elasticsearch.yml中的配置信息：

# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: 0.0.0.0
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
http.port: 9200


xpack.security.enabled: true


xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: instance.p12
xpack.security.http.ssl.truststore.path: instance.p12


xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: instance.p12
xpack.security.transport.ssl.truststore.path: instance.p12

4、总结

通过以上步骤，已经成功在单节点的 Elasticsearch 环境中启用了 SSL 并配置了证书。这将确保数据在传输过程中的安全性，保护应用程序免受潜在的安全威胁。
我是欧阳方超，把事情做好了自然就有兴趣了，如果你喜欢我的文章，欢迎点赞、转发、评论加关注。我们下次见。