--- title: Elasticsearch certificate tags: Elasticsearch description: View the slide with "Slide Mode". --- # Elasticsearch certificate ## 產生憑證 ### 1. 產生 certificate authority (CA) ```htmlmixed= $ bin/elasticsearch-certutil ca ``` The ca mode generates a new certificate authority (CA). By default, it produces a single PKCS#12 output file, which <font color=blue>holds the CA certificate and the private key for the CA </font> > The elasticsearch-certutil command also prompts you for a password to protect the file and key. If you plan to add more nodes to your cluster in the future, retain a copy of the file and remember its password. > [name=昱齊] 一個叢集產生一個ca就好，產生完後把檔案複製到叢集下的各個節點 ### 2. 透過 CA 產生 certificate The cert mode <font color=blue>generates X.509 certificates and private keys.</font> By default, it produces a single certificate and key for use on a single instance. ### (補充) 什麼是CA - CA最主要的工作，就是是<font color=blue>負責發放和管理數位憑證的權威機構</font>，並作為電子商務交易中受信任的第三方，來擔任公鑰體系中，檢核公鑰合法性的責任。 - CA中心會為每個使用公開金鑰的用戶，來發放一個「數位憑證」，目的是證明這個憑證中列出的用戶，可以合法擁有憑證中列出的公開金鑰，透過憑證來告訴他人我合法擁有了我的公鑰。而這個憑證除了透過公開外，也包含了CA機構的數位簽章，一來是公開這份憑證的效力，並使得攻擊者不能偽造和篡改憑證。<font color=blue>數位憑證通常包含有持有者的公開金鑰、持有者的電子郵件地址、憑證發行單位...</font> <!-- Put the link to this slide here so people can follow --> ## 確認es產生的憑證，不同次產生是否一樣 標題：Generating node certificatesedit [官方文件](https://www.elastic.co/guide/en/elasticsearch/reference/7.3/configuring-tls.html) > [name=昱齊]如何弄不一樣，以及如何驗證 > 1. 產出 elastic-certificates.p12 檔案讓 cluster 內的 nodes 能互通 ``` bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 ``` 2. 在 elasticsearch.yml 中新增以下內容 ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 ``` - `ssl.verification_mode` Indicates the type of verification when using ldaps to protect against man in the middle attacks and certificate forgery. Valid values are: - `full`, which verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. - `certificate`, which verifies that the provided certificate is signed by a trusted authority (CA), but <font color=blue>does not perform any hostname verification.</font> > [name=昱齊] 這個指的應該是我連線elasticsearch node1，我只確認他提供的憑證來自CA，但不驗證node1的IP是否與憑證相符 - `none`, which <font color=blue>performs no verification of the server’s certificate</font>. This mode disables many of the security benefits of SSL/TLS and should only be used after very careful consideration. It is primarily intended as a temporary diagnostic mechanism <font color=blue>when attempting to resolve TLS errors</font>; its use on production clusters is strongly discouraged. - The default value is full. 3. 重啟 elasticsearch ``` systemctl restart elasticsearch ``` 4. 新增額外的憑證讓 elasticsearch 和 kibana 能互通 ``` bin/elasticsearch-certutil http ``` 5. 在 elasticsearch.yml 中新增以下內容 ``` xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: "http.p12" ``` 6. 重啟 elasticsearch ``` systemctl restart elasticsearch ``` Generating node certificatesedit > The recommended approach for validating certificate authenticity in an Elasticsearch cluster is to trust the certificate authority (CA) that signed the certificate. By doing this, as nodes are added to your cluster they <font color=blue>just need to use a certificate signed by the same CA</font> and the node is automatically allowed to join the cluster. Additionally, it is recommended that the certificates contain subject alternative names (SAN) that correspond to the node’s IP address and DNS name so that hostname verification can be performed. > [name=Alice Hsu] > 在做的時候遇到/etc/elasticsearch資料夾permission denied的問題，開660也不行，所以我就開777了QQ