介绍

Elasticsearch 程序中提供elasticsearch-certutil命令来简化生成证书的过程。

该命令共有 3 种模式:

  • CA 模式,用于生成一个新的证书颁发机构。
  • CERT 模式,用于生成 X.509 证书和私钥。
  • CSR 模式,用于生成证书签名请求,该请求指向受信任的证书颁发机构以获取签名的证书。签名证书必须为 PEM 或 PKCS#12 格式,才能与 Elasticsearch 安全功能一起使用。

生成证书

certutil官方文档

如果集群部署, 想为每个node都配置ssl, 就改instance.yml和extra_hosts

参考: https://www.elastic.co/cn/blog/configuring-ssl-tls-and-https-to-secure-elasticsearch-kibana-beats-and-logstash

证书位置必须写绝对路径

  • 新建instance.yml以创建各容器的自签名证书
    1
    2
    3
    4
    5
    6
    7
    8
    9
    # name会对应到生成证书文件的路径名称
    # dns可以多个,对应其匹配域名
    instances:
    - name: 'es-node1'
    dns: ['node1.elastic.com']
    - name: 'logstash'
    dns: ['node1.logstash.com']
    - name: 'kibana'
    dns: ['kibana.com']
  • 拷贝到es容器
    1
    docker cp instance.yml elasticsearch:/usr/share/elasticsearch/
  • 进入es容器, 执行如下命令

    eg: 生成10年的证书

1
bin/elasticsearch-certutil cert ca --days 3650 --pem --in instance.yml --out certs.zip
  • 从容器拷贝到宿主机上
    1
    docker cp elasticsearch:/usr/share/elasticsearch/certs.zip /opt/elk/ssl
  • 解压
    1
    unzip certs.zip -d ./certs
  • 会解压出四个文件夹, 将ca文件夹下的ca.crt文件copy到另外四个目录下
    1
    2
    3
    4
    cd certs/
    cp ca.crt es-node1/
    cp ca.crt logstash/
    cp ca.crt kibana/

docker-compose.yml调整

  • es
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    elasticsearch:
    ...
    privileged: true
    ...
    volumes:
    ...
    # 修改此处路径映射
    # 宿主机路径:容器路径
    - /opt/elk/ssl/certs/es-node1:/usr/share/elasticsearch/config/certs
    ...
    extra_hosts:
    # 配置ip映射
    - "kibana.com:10.104.8.126"
    - "node1.logstash.com:10.104.8.126"
    - "node1.elastic.com:127.0.0.1"
    - "es-node1:127.0.0.1"
  • kibana
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    kibana:
    ...
    volumes:
    # 修改此处路径映射
    # 宿主机路径:容器路径
    - /opt/elk/ssl/certs/kibana:/usr/share/kibana/config/certs
    extra_hosts:
    # 配置ip映射
    - "kibana.com:127.0.0.1"
    - "node1.logstash.com:10.104.8.126"
    - "node1.elastic.com:10.104.8.126"
    - "es-node1:10.104.8.126"
  • logstash
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    logstash:
    ...
    volumes:
    # 修改此处路径映射
    # 宿主机路径:容器路径
    - /opt/elk/ssl/certs/logstash:/usr/share/logstash/config/certs
    extra_hosts:
    # 配置ip映射
    - "kibana.com:10.104.8.126"
    - "node1.logstash.com:127.0.0.1"
    - "node1.elastic.com:10.104.8.126"
    - "es-node1:10.104.8.126"

conf(conf配置文件)

  • kibana.yml
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    server.name: "kibana"
    server.host: "0.0.0.0"
    server.ssl.enabled: true
    # 证书,compose.yml配置中去看
    server.ssl.certificate: /usr/share/kibana/config/certs/kibana.crt
    # 证书,compose.yml配置中去看
    server.ssl.key: /usr/share/kibana/config/certs/kibana.key
    # 证书,compose.yml配置中去看
    elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/certs/ca.crt"]
    # 这里有仨值,直接谷歌这个key看下解释
    # elasticsearch.ssl.verificationMode: none
    elasticsearch.hosts: ["https://node1.elastic.com:9200"]
    elasticsearch.username: kibana_system
    elasticsearch.password: xxx
    # 如果不写,每次回无法看到上次产出报的问题
    xpack.reporting.encryptionKey: fd7c75cf-6abd-4704-a614-10a8679d64e7
    # 下面这俩告警的
    monitoring.ui.enabled: true
    monitoring.ui.container.logstash.enabled: true
    # 这是一个关于沙盒相关的(具体会影响啥不太清楚,我只是为了关掉warning)
    xpack.reporting.capture.browser.chromium.disableSandbox: false
    # 外网访问地址
    server.publicBaseUrl: https://xxx:5601
    # 告警相关
    xpack.encryptedSavedObjects.encryptionKey: 554d5cab-b336-eb0a-e128-6c5012dcc330
    # 中文
    i18n.locale: "zh-CN"
  • elasticsearch.yml
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    # 集群名称
    cluster.name: elasticsearch-cluster
    # 节点名称
    node.name: es-node1
    # 绑定host,0.0.0.0代表当前节点的ip(这里别改,就全员就行)
    network.host: 0.0.0.0
    # 设置其它节点和该节点交互的ip地址,如果不设置它会自动判断,值必须是个真实的ip地址(本机ip)
    network.publish_host: node1.elastic.com
    # 设置对外服务的http端口,默认为9200
    http.port: 9200
    # 设置节点间交互的tcp端口,默认是9300
    transport.tcp.port: 9300
    # 是否支持跨域,默认为false
    http.cors.enabled: true
    # 当设置允许跨域,默认为*,表示支持所有域名,如果我们只是允许某些网站能访问,那么可以使用正则表达式。比如只允许本地地址。 /https?:\/\/localhost(:[0-9]+)?/
    http.cors.allow-origin: "*"
    discovery.type: single-node
    # 表示这个节点是否可以充当主节点
    node.master: true
    # 是否充当数据节点
    node.data: true
    # 所有主从节点ip:port(这里得改)
    discovery.seed_hosts: ["node1.elastic.com"]
    # 这里配了,然后不配discovery.type: single-node就会以集群方式启动
    # cluster.initial_master_nodes: ["es-node1"]
    # 这个参数决定了在选主过程中需要 有多少个节点通信 预防脑裂
    discovery.zen.minimum_master_nodes: 1
    # 跨域允许设置的头信息,默认为X-Requested-With,Content-Type,Content-Lengt
    http.cors.allow-headers: Authorization
    #锁内存,提前占用内存
    bootstrap.memory_lock: true
    # 这条配置表示开启xpack认证机制
    xpack.security.enabled: true
    # 下面这些都跟证书有关
    xpack.security.http.ssl.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certs/es-node1.key
    xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certs/es-node1.crt
    xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/certs/ca.crt
    xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/es-node1.key
    xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/es-node1.crt
    xpack.security.transport.ssl.certificate_authorities: /usr/share/elasticsearch/config/certs/ca.crt
    # 这里有仨值,直接谷歌这个key看下解释
    # xpack.security.transport.ssl.verification_mode: none
  • /usr/share/logstash/pipeline/conf.d/*.conf

    针对 Beats 输入插件,需要将 logstash.key 转换为 PKCS8 格式

    1
    openssl pkcs8 -in logstash.key -topk8 -nocrypt -out logstash.pkcs8.key
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    beats {
    port => 5044
    ssl => true
    ssl_key => '/usr/share/logstash/config/certs/logstash.pkcs8.key'
    ssl_certificate => '/usr/share/logstash/config/certs/logstash.crt'
    }
    ......
    output {
    elasticsearch {
    hosts => ["https://node1.elastic.com:9200"]
    index => "%{env}-xxx-%{indexDay}"
    cacert => '/usr/share/logstash/config/certs/ca.crt'
    # ssl_certificate_verification => false
    user => "elastic"
    password => "xxx"
    }
    }
  • logstash.yml
1
2
3
4
5
6
7
8
9
# 将 Logstash监控 数据传送到安全集群
node.name: logstash
path.config: /usr/share/logstash/pipeline/conf.d/*.conf
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: xxx
xpack.monitoring.elasticsearch.hosts: ["https://node1.elastic.com:9200"]
xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/certs/ca.crt
#xpack.monitoring.elasticsearch.ssl.verification_mode: none
  • filebeat.yml

    将ca.crt复制到filebeat所在服务器

    1
    2
    3
    4
    5
    6
    # ------------------------------ Logstash Output -------------------------------
    output.logstash:
    # logstash服务ip
    hosts: ["经测试,这里写ip和dns都可"]
    ssl.certificate_authorities:
    - /etc/filebeat/ssl/ca.crt