elasticsearch 如何在Elasticsearch中以非交互方式启用TLS?
根据,要为Elasticsearch 7.1的TLS生成证书,请运行:
elasticsearch 如何在Elasticsearch中以非交互方式启用TLS?,
elasticsearch,ansible,ssl-certificate,
elasticsearch,Ansible,Ssl Certificate,根据,要为Elasticsearch 7.1的TLS生成证书,请运行: elasticsearch-certutil ca elasticsearch-certutil cert --ca elastic-stack-ca.p12 相关的: 通过RESTAPI启用TLS需要证书 但是,上述命令需要人工交互(按Enter键) 如何以非交互方式生成上述证书?以下是适用于我的命令: cd /usr/share/elasticsearch sudo mkdir -v certs sudo ./bin/
elasticsearch-certutil ca
elasticsearch-certutil cert --ca elastic-stack-ca.p12
相关的:
通过RESTAPI启用TLS需要证书
但是,上述命令需要人工交互(按Enter键)
如何以非交互方式生成上述证书?以下是适用于我的命令:
cd /usr/share/elasticsearch
sudo mkdir -v certs
sudo ./bin/elasticsearch-certutil ca --out certs/elastic-stack-ca.p12 --pass ""
sudo ./bin/elasticsearch-certutil cert --ca certs/elastic-stack-ca.p12 --ca-pass "" --out certs/elastic-certificates.p12 --pass ""
以及Ansible的剧本:
---
- name: Create a certificate directory
file:
owner: root
group: '{{ elasticsearch_user_group }}'
mode: u=rwx,g+rx,o-rwx
path: '{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}'
state: directory
when: elasticsearch_tls_cert_dir is defined
- name: Check a certificate of authority
stat:
path: "{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}/elastic-stack-ca.p12"
register: elastic_stack_ca_file
- name: Generate a certificate of authority
args:
chdir: '{{ elasticsearch_path_etc }}'
become: yes
command: "'{{ elasticsearch_path_home }}'/bin/elasticsearch-certutil ca --out '{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}'/elastic-stack-ca.p12 --pass '{{ elasticsearch_tls_cert_pass }}'"
when: not elastic_stack_ca_file.stat.exists
- name: Check a certificate and private key for a node
stat:
path: "{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}/elastic-certificates.p12"
register: elastic_certificates_file
- name: Generate a certificate and private key for a node
args:
chdir: '{{ elasticsearch_path_etc }}'
become: yes
command: "'{{ elasticsearch_path_home }}'/bin/elasticsearch-certutil cert --ca '{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}'/elastic-stack-ca.p12 --ca-pass '{{ elasticsearch_tls_cert_pass }}' --out '{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}'/elastic-certificates.p12 --pass '{{ elasticsearch_tls_cert_ca_pass }}'"
when: elastic_stack_ca_file.stat.exists and not elastic_certificates_file.stat.exists
其中,默认变量可定义为:
elasticsearch_http_port: 9200
elasticsearch_path_home: "/usr/share/elasticsearch"
elasticsearch_path_etc: "/etc/elasticsearch"
elasticsearch_tls_cert_ca_pass: ""
elasticsearch_tls_cert_pass: ""
elasticsearch_tls_cert_dir: "certs"
elasticsearch_user: "elasticsearch"
elasticsearch_user_group: "elasticsearch"
进一步说明:
mkdir /certificates
# This is the name of the kubernetes service for elastic search
master=elasticsearch-rest-service
echo "===> Create CA"
elasticsearch-certutil ca \
--out /certificates/elastic-stack-ca.p12 \
--pass ''
echo "===> Create certificate"
elasticsearch-certutil cert \
--name ${master} \
--dns ${master} \
--ca /certificates/elastic-stack-ca.p12 \
--pass '' \
--ca-pass '' \
--out /certificates/elastic-certificates.p12
请注意,如果需要与FileBeat和Kibana集成,则需要将密钥转换为其他格式。
更多详情请参见帖子