elasticsearch 如何在Elasticsearch中以非交互方式启用TLS?,elasticsearch,ansible,ssl-certificate,elasticsearch,Ansible,Ssl Certificate" /> elasticsearch 如何在Elasticsearch中以非交互方式启用TLS?,elasticsearch,ansible,ssl-certificate,elasticsearch,Ansible,Ssl Certificate" />
Fatal编程技术网
  • elasticsearch/
  • elasticsearch 如何在Elasticsearch中以非交互方式启用TLS?

elasticsearch 如何在Elasticsearch中以非交互方式启用TLS?

ansible

elasticsearch 如何在Elasticsearch中以非交互方式启用TLS?,elasticsearch,ansible,ssl-certificate,elasticsearch,Ansible,Ssl Certificate,根据,要为Elasticsearch 7.1的TLS生成证书,请运行: elasticsearch-certutil ca elasticsearch-certutil cert --ca elastic-stack-ca.p12 相关的: 通过RESTAPI启用TLS需要证书 但是,上述命令需要人工交互(按Enter键) 如何以非交互方式生成上述证书?以下是适用于我的命令: cd /usr/share/elasticsearch sudo mkdir -v certs sudo ./bin/

根据,要为Elasticsearch 7.1的TLS生成证书,请运行:

elasticsearch-certutil ca
elasticsearch-certutil cert --ca elastic-stack-ca.p12
相关的:

通过RESTAPI启用TLS需要证书

但是,上述命令需要人工交互(按Enter键)

如何以非交互方式生成上述证书?

以下是适用于我的命令:

cd /usr/share/elasticsearch
sudo mkdir -v certs
sudo ./bin/elasticsearch-certutil ca --out certs/elastic-stack-ca.p12 --pass ""
sudo ./bin/elasticsearch-certutil cert --ca certs/elastic-stack-ca.p12 --ca-pass "" --out certs/elastic-certificates.p12 --pass ""
以及Ansible的剧本:

---
- name: Create a certificate directory
  file:
    owner: root
    group: '{{ elasticsearch_user_group }}'
    mode: u=rwx,g+rx,o-rwx
    path: '{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}'
    state: directory
  when: elasticsearch_tls_cert_dir is defined
- name: Check a certificate of authority
  stat:
    path: "{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}/elastic-stack-ca.p12"
  register: elastic_stack_ca_file
- name: Generate a certificate of authority
  args:
    chdir: '{{ elasticsearch_path_etc }}'
  become: yes
  command: "'{{ elasticsearch_path_home }}'/bin/elasticsearch-certutil ca --out '{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}'/elastic-stack-ca.p12 --pass '{{ elasticsearch_tls_cert_pass }}'"
  when: not elastic_stack_ca_file.stat.exists
- name: Check a certificate and private key for a node
  stat:
    path: "{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}/elastic-certificates.p12"
  register: elastic_certificates_file
- name: Generate a certificate and private key for a node
  args:
    chdir: '{{ elasticsearch_path_etc }}'
  become: yes
  command: "'{{ elasticsearch_path_home }}'/bin/elasticsearch-certutil cert --ca '{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}'/elastic-stack-ca.p12 --ca-pass '{{ elasticsearch_tls_cert_pass }}' --out '{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}'/elastic-certificates.p12 --pass '{{ elasticsearch_tls_cert_ca_pass }}'"
  when: elastic_stack_ca_file.stat.exists and not elastic_certificates_file.stat.exists
其中,默认变量可定义为:

elasticsearch_http_port: 9200
elasticsearch_path_home: "/usr/share/elasticsearch"
elasticsearch_path_etc: "/etc/elasticsearch"
elasticsearch_tls_cert_ca_pass: ""
elasticsearch_tls_cert_pass: ""
elasticsearch_tls_cert_dir: "certs"
elasticsearch_user: "elasticsearch"
elasticsearch_user_group: "elasticsearch"
进一步说明:

通过,命令包括:

mkdir /certificates
# This is the name of the kubernetes service for elastic search
master=elasticsearch-rest-service

echo "===> Create CA"
elasticsearch-certutil ca \
  --out /certificates/elastic-stack-ca.p12 \
  --pass ''

echo "===> Create certificate"
elasticsearch-certutil cert \
  --name ${master} \
  --dns ${master} \
  --ca /certificates/elastic-stack-ca.p12 \
  --pass '' \
  --ca-pass '' \
  --out /certificates/elastic-certificates.p12
请注意,如果需要与FileBeat和Kibana集成,则需要将密钥转换为其他格式。 更多详情请参见帖子