es配置https访问(使用elasticsearch-certutil生产证书)

环境:
Os:centos 7
es:6.8.5
3个节点组成的集群

 

 

1.生成单节点ES全套SSL证书,自动生成CA证书+ES证书+私钥
su - elasticsearch
cd /usr/local/services/elasticsearch/config
mkdir certs
cd certs
/usr/local/services/elasticsearch/bin/elasticsearch-certutil cert -out elastic-certificates.p12 -pass ""

 


2.提取相关证书
#2.1.从p12文件提取CA证书(ca.crt,验证证书合法性)
cd /usr/local/services/elasticsearch/config/certs
openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out ca.crt -passin pass:""

 

#2.2.从p12文件提取ES服务端证书(es.crt,公钥证书)
cd /usr/local/services/elasticsearch/config/certs
openssl pkcs12 -in elastic-certificates.p12 -clcerts -nokeys -out es.crt -passin pass:""

 

#2.3.从p12文件提取ES私钥文件(es.key,核心私钥)
openssl pkcs12 -in elastic-certificates.p12 -nocerts -out es.key -passin pass:"" -nodes

 


3.拷贝文件到另外的机器
$ scp /usr/local/services/elasticsearch/config/certs/* elasticsearch@192.168.1.134:/usr/local/services/elasticsearch/config/certs/
$ scp /usr/local/services/elasticsearch/config/certs/* elasticsearch@192.168.1.135:/usr/local/services/elasticsearch/config/certs/

 

 

4.修改配置文件
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: certs/es.key
xpack.security.transport.ssl.certificate: certs/es.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca.crt

 

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: certs/es.key
xpack.security.http.ssl.certificate: certs/es.crt
xpack.security.http.ssl.certificate_authorities: certs/ca.crt

 

 5.重启每个节点

 

6.访问
[elasticsearch@localhost config]$ curl -u elastic:elastic -X GET "https://192.168.1.135:19200/_cat/health?v"
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

[elasticsearch@localhost config]$ curl -u elastic:elastic -X GET "https://192.168.1.135:19200/_cat/health?v" -k
epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1768358669 02:44:29 escluster_hxl green 3 3 38 19 0 0 0 0 - 100.0%

 

这里需要带上-k选项

posted @ 2026-01-14 10:47  slnngk  阅读(3)  评论(0)    收藏  举报