为ELK提供SSL访问

2年前 (2022) 程序员胖胖胖虎阿
376 0 0

五、设置ELK密码(可选)

  1. 开启elasticsearch密码
    vim /data/elk/elasticsearch/config/elasticsearch.yml
    末尾增加两行

    # 开启密码
    xpack.security.transport.ssl.enabled: true
    xpack.security.enabled: true
  2. 为kibana配置访问密码
    vim /data/elk/kibana/config/kibana.yml
    末尾增加用户名密码配置

    # elk体系有很多的用户组,elastic是默认的用户组之一,可以使用默认的用户,也可以自定义用户
    elasticsearch.username: "elastic" 
    elasticsearch.password: "1qaz@WSX3edc"
  3. 重启ELK
    docker restart elk
    重启可能报错.

    [elk] Exception
    org.elasticsearch.ElasticsearchSecurityException: invalid SSL configuration for xpack.security.transport.ssl - server ssl configuration requires a key and certificate, but these have not been configured; you must set either [xpack.security.transport.ssl.keystore.path], or both [xpack.security.transport.ssl.key] and [xpack.security.transport.ssl.certificate]
     at org.elasticsearch.xpack.core.ssl.SSLService.validateServerConfiguration(SSLService.java:635) ~[?:?]
     at org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:612) ~[?:?]
     at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:156) ~[?:?]
     at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:461) ~[?:?]
     at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:310) ~[?:?]
     at org.elasticsearch.node.Node.lambda$new$14(Node.java:668) ~[elasticsearch-8.3.3.jar:?]
     at org.elasticsearch.plugins.PluginsService.lambda$flatMap$0(PluginsService.java:235) ~[elasticsearch-8.3.3.jar:?]
     at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273) ~[?:?]
     at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) ~[?:?]
     at java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:720) ~[?:?]
     at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) ~[?:?]
     at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) ~[?:?]
     at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:575) ~[?:?]
     at java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:260) ~[?:?]
     at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:616) ~[?:?]
     at java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:622) ~[?:?]
     at java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:627) ~[?:?]
     at org.elasticsearch.node.Node.<init>(Node.java:681) ~[elasticsearch-8.3.3.jar:?]
     at org.elasticsearch.node.Node.<init>(Node.java:300) ~[elasticsearch-8.3.3.jar:?]
     at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:230) ~[elasticsearch-8.3.3.jar:?]
     at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:230) ~[elasticsearch-8.3.3.jar:?]
     at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) [elasticsearch-8.3.3.jar:?]
     at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:224) [elasticsearch-8.3.3.jar:?]
     at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:67) [elasticsearch-8.3.3.jar:?]
    [2022-09-05T19:41:12,778][ERROR][o.e.b.Elasticsearch      ] [elk] fatal exception while booting Elasticsearch
    org.elasticsearch.bootstrap.StartupException: org.elasticsearch.ElasticsearchSecurityException: invalid SSL configuration for xpack.security.transport.ssl - server ssl configuration requires a key and certificate, but these have not been configured; you must set either [xpack.security.transport.ssl.keystore.path], or both [xpack.security.transport.ssl.key] and [xpack.security.transport.ssl.certificate]
     at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:228) [elasticsearch-8.3.3.jar:?]
     at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:67) [elasticsearch-8.3.3.jar:?]
    Caused by: org.elasticsearch.ElasticsearchSecurityException: invalid SSL configuration for xpack.security.transport.ssl - server ssl configuration requires a key and certificate, but these have not been configured; you must set either [xpack.security.transport.ssl.keystore.path], or both [xpack.security.transport.ssl.key] and [xpack.security.transport.ssl.certificate]

    较新的版本开启密码需要SSL证书, 如果报以上错误, 还原上面五-第一步的操作, 再重启ELK生成证书; 如果ELK正常重启, 跳过以下步骤。
    3.1 重启ELK
    docker restart elk
    3.2 进入docker
    docker exec -it elk /bin/bash
    3.3 生成elastic-stack-ca.p12文件

    cd /opt/elasticsearch
    ./bin/elasticsearch-certutil ca
    Please enter the desired output file [elastic-stack-ca.p12]:  #回车
    Enter password for elastic-stack-ca.p12 : #CA证书的密码,回车
    # ls     
    bin  config  data  elastic-stack-ca.p12  jdk  lib  LICENSE.txt  logs  modules  nohup.out  NOTICE.txt  plugins  README.asciidoc

    3.4 生成elastic-certificates.p12文件

    ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
    Enter password for CA (elastic-stack-ca.p12) : # CA证书的密码,直接回车
    Please enter the desired output file [elastic-certificates.p12]: # 默认
    Enter password for elastic-certificates.p12 : # 证书密码,直接回车

    3.5 回到宿主机,复制elastic-stack-ca.p12、elastic-certificates.p12到elaticsearch/config目录

    docker cp elk:/opt/elasticsearch/elastic-certificates.p12 /data/elk/elasticsearch/config/
    docker cp elk:/opt/elasticsearch/elastic-stack-ca.p12 /data/elk/elasticsearch/config/
    
    # 修改权限
    cd /data/elk
    chown -R 991:991 elasticsearch*

    3.6 再次编辑ES配置
    vim /data/elk/elasticsearch/config/elasticsearch.yml

    # 开启密码
    xpack.security.transport.ssl.enabled: true
    xpack.security.enabled: true
    xpack.license.self_generated.type: basic
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

    3.7 重启ELK
    docker restart elk

  4. 设置elasticsearch密码(启动容器后)

    # 进入elk容器
    docker exec -it elk /bin/bash
    cd /opt/elasticsearch/bin
    # 手动设置密码
    ./elasticsearch-setup-passwords interactive
    # Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
    # You will be prompted to enter passwords as the process progresses.
    # Please confirm that you would like to continue [y/N] 按Y继续
    # 在后面的提示中配置密码,配置密码即可, 会有很多个密码, 都配成跟上一步一样的密码: 1qaz@WSX3edc
  5. 重启ELK
    docker restart elk
版权声明:程序员胖胖胖虎阿 发表于 2022年9月18日 上午9:40。
转载请注明:为ELK提供SSL访问 | 胖虎的工具箱-编程导航

相关文章

暂无评论

暂无评论...