服务器IP:
192.168.1.100
192.168.1.101
192.168.1.102
1、每台服务器下载并安装elasticsearch,解压后修改config/elasticsearch.yml
192.168.1.100
cluster.name: my-elasticsearch node.name: node-1 path.data: /opt/var/elasticsearch/data path.logs: /opt/var/elasticsearch/logs network.host: 192.168.1.100 http.port: 9200 transport.tcp.port: 9300 transport.tcp.compress: true discovery.zen.ping.unicast.hosts: ["192.168.1.100", "192.168.1.101", "192.168.1.102"] discovery.zen.minimum_master_nodes: 2 http.cors.enabled: true http.cors.allow-origin: "*" http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.ssl.key: elasticsearch/elasticsearch.key xpack.ssl.certificate: elasticsearch/elasticsearch.crt xpack.ssl.certificate_authorities: ca/ca.crt
192.168.1.101
cluster.name: my-elasticsearch node.name: node-1 path.data: /opt/var/elasticsearch/data path.logs: /opt/var/elasticsearch/logs network.host: 192.168.1.101 http.port: 9200 transport.tcp.port: 9300 transport.tcp.compress: true discovery.zen.ping.unicast.hosts: ["192.168.1.100", "192.168.1.101", "192.168.1.102"] discovery.zen.minimum_master_nodes: 2 http.cors.enabled: true http.cors.allow-origin: "*" http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.ssl.key: elasticsearch/elasticsearch.key xpack.ssl.certificate: elasticsearch/elasticsearch.crt xpack.ssl.certificate_authorities: ca/ca.crt
192.168.1.102
cluster.name: my-elasticsearch node.name: node-1 path.data: /opt/var/elasticsearch/data path.logs: /opt/var/elasticsearch/logs network.host: 192.168.1.102 http.port: 9200 transport.tcp.port: 9300 transport.tcp.compress: true discovery.zen.ping.unicast.hosts: ["192.168.1.100", "192.168.1.101", "192.168.1.102"] discovery.zen.minimum_master_nodes: 2 http.cors.enabled: true http.cors.allow-origin: "*" http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.ssl.key: elasticsearch/elasticsearch.key xpack.ssl.certificate: elasticsearch/elasticsearch.crt xpack.ssl.certificate_authorities: ca/ca.crt
2、生成证书
bin/elasticsearch-certgen
******************************************************************************
Note: The 'elasticsearch-certgen' tool has been deprecated in favour of the
'elasticsearch-certutil' tool. This command will be removed in a future
release.
******************************************************************************
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL in the Elastic stack. Depending on the command
line option specified, you may be prompted for the following:
* The path to the output file
* The output file is a zip file containing the signed certificates and
private keys for each instance. If a Certificate Authority was generated,
the certificate and private key will also be included in the output file.
* Information about each instance
* An instance is any piece of the Elastic Stack that requires an SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
* Certificate Authority private key password
* The password may be left empty if desired.
Let's get started...
Please enter the desired output file [certificate-bundle.zip]: (压缩包名称)
Enter instance name: (实例名)
Enter name for directories and files [elasticsearch]: (文件夹名)
Enter IP Addresses for instance (comma-separated if more than one) []: (实例ip,多个ip用逗号隔开)
Enter DNS names for instance (comma-separated if more than one) []: (节点名,多个节点用逗号隔开)
Would you like to specify another instance? Press 'y' to continue entering instance information: (到达这一步,不需要按y重新设置,按回车即可)
Certificates written to /opt/usr/elasticsearch-6.8.16/certificate-bundle.zip
This file should be properly secured as it contains the private keys for all
instances and the certificate authority.
After unzipping the file, there will be a directory for each instance containing
the certificate and private key. Copy the certificate, key, and CA certificate
to the configuration directory of the Elastic product that they will be used for
and follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
执行完以后,会生成certificate-bundle.zip,解压放入每个elasticsearch节点的config目录下
3、生成密码
重启elasticsearch服务后,运行:
bin/elasticsearch-setup-passwords interactive