Elasticsearch Shield SSL 证书
Elasticsearch Shield SSL Certificates
我正在使用 elastic 2.2.0 和 shield 2.2,10 个节点集群。我需要在 Elastic 中启用 ssl 以便 Kibana 与 shield 一起使用,我在认证签名部分获得了 。
我没有通配符证书 所以我不能在节点中只签署一个 csr 并将其复制到所有其他节点,我尝试使用 letsencrypt (with the elastic tutorial) and sign a certificate with common name of node1 and alternative names of node2-10 and copy it to all other nodes (of course I firstly created domains for all 10 servers and pointed it to node1, sign the csr, then pointed all the 9 to the right server), it didn't work 和我在节点日志中遇到了很多 "bed certificate" 个异常。
正如我所说,我需要 ssl 才能让 kibana 与 shield 一起工作,并且通常需要安全连接,我计划向集群添加更多节点...
我怎样才能做到这一点?
为此目的的最佳架构是什么?
问题是我试图在节点的私有 ip 种子上使用证书,正如文档所说(这是不可能的):
If you use a commercial CA, the DNS names and IP addresses used to identify a node must be publicly resolvable. Internal DNS names and private IP addresses are not accepted due to security concerns.
If you need to use private DNS names and IP addresses, using an internal CA is the most secure option. It enables you to specify node identities and ensure node identities are verified when nodes connect. If you must use a commercial CA and private DNS names or IP addresses, you cannot include the node identity in the certificate, so the only option is to disable hostname verification.
因此解决方案是通过在 elasticsearch.yml:
中设置仅将证书用于外部请求(如 kibana UI)
shield.transport.ssl: false
shield.http.ssl: true
我正在使用 elastic 2.2.0 和 shield 2.2,10 个节点集群。我需要在 Elastic 中启用 ssl 以便 Kibana 与 shield 一起使用,我在认证签名部分获得了
我没有通配符证书 所以我不能在节点中只签署一个 csr 并将其复制到所有其他节点,我尝试使用 letsencrypt (with the elastic tutorial) and sign a certificate with common name of node1 and alternative names of node2-10 and copy it to all other nodes (of course I firstly created domains for all 10 servers and pointed it to node1, sign the csr, then pointed all the 9 to the right server), it didn't work 和我在节点日志中遇到了很多 "bed certificate" 个异常。
正如我所说,我需要 ssl 才能让 kibana 与 shield 一起工作,并且通常需要安全连接,我计划向集群添加更多节点... 我怎样才能做到这一点? 为此目的的最佳架构是什么?
问题是我试图在节点的私有 ip 种子上使用证书,正如文档所说(这是不可能的):
If you use a commercial CA, the DNS names and IP addresses used to identify a node must be publicly resolvable. Internal DNS names and private IP addresses are not accepted due to security concerns.
If you need to use private DNS names and IP addresses, using an internal CA is the most secure option. It enables you to specify node identities and ensure node identities are verified when nodes connect. If you must use a commercial CA and private DNS names or IP addresses, you cannot include the node identity in the certificate, so the only option is to disable hostname verification.
因此解决方案是通过在 elasticsearch.yml:
中设置仅将证书用于外部请求(如 kibana UI)shield.transport.ssl: false
shield.http.ssl: true