赞
踩
简介: 在生产环境中,Elasticsearch 集群的证书可能会因为过期而导致集群无法正常工作。为了避免这种情况的发生,我们需要及时更新证书,并保证更新证书的过程中保持 Elasticsearch 集群的高可用性和数据安全性。
ES集群版本:v6.810和v7.13.4
加密参数配置:
- xpack.security.enabled: true
- xpack.security.transport.ssl.enabled: true
- xpack.security.transport.ssl.verification_mode: certificate
- xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
- xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
通过配置文件看到,只针对集群中节点之间的通信进行了加密,而且是自签的CA。
生成证书为您的Elasticearch集群创建一个证书颁发机构。例如,使用elasticsearch-certutil ca命令:
bin/elasticsearch-certutil ca --days 36500
为群集中的每个节点生成证书和私钥。例如,使用elasticsearch-certutil cert 命令:
bin/elasticsearch-certutil cert --days 36500 --ca elastic-stack-ca.p12
通过批量扫描集群信息,发现证书过期
GET /_ssl/certificates [ { "path" : "certs/elastic-certificates.p12", "format" : "PKCS12", "alias" : "instance", "subject_dn" : "CN=Elastic Certificate Tool Autogenerated CA", "serial_number" : "e365c63bf8050b2d1a73025c37aaa6d8d0772f06", "has_private_key" : false, "expiry" : "2023-04-26T09:13:27.000Z" }, { "path" : "certs/elastic-certificates.p12", "format" : "PKCS12", "alias" : "instance", "subject_dn" : "CN=instance", "serial_number" : "bff8e3ed43fcc2abc4e6951bd6064ed53ddb7b56", "has_private_key" : true, "expiry" : "2023-04-26T09:13:44.000Z" }, { "path" : "certs/elastic-certificates.p12", "format" : "PKCS12", "alias" : "ca", "subject_dn" : "CN=Elastic Certificate Tool Autogenerated CA", "serial_number" : "e365c63bf8050b2d1a73025c37aaa6d8d0772f06", "has_private_key" : false, "expiry" : "2023-04-26T09:13:27.000Z" } ]
基于ES6.8.10-ARC(通用3节点集群) 验证测试
将证书设置1天过期,过期之后查看,集群还是正常运行(各种方式查看新证书确实都生效了)
[2023-04-26T10:12:41,125][INFO ][o.e.x.c.s.SSLConfigurationReloader] [es_10.4.6.2_9211] reloaded [/work/idb/es9211/config/certs/elastic-certificates.p12] and updated ssl contexts using this file
2.集群中的某个节点,重启时,如果自己的证书和其他节点不一致,可以启动但是无法被其他节点识别,无法加入集群
直接替换证书,自动就被其他节点识别到,然后节点正常加入集群
3.查询命令:
查询证书过期
GET /_ssl/certificates
验证证书是否有效
curl -X GET "http://escluster111.es.zcinc.com:9211/_cluster/health?pretty" -uelastic:OWRmNjA5MDlkNGM3 --cacert elastic-certificates.p12
GET /_nodes?filter_path=**.transport.ssl
关于证书更新的文档,版本:>=7.13
如果使用相同的CA,签发新的证书,替换原来的文件,是不需要重启节点的
如果使用不同的CA,签发新的证书,替换原来的文件,是需要滚动重启的
这里有3个点需要注意:
以下是官网文档说:
Updating node security certificates | Elasticsearch Guide [7.13] | Elastic
使用相同的CA:
Update certificates with the same CA | Elasticsearch Guide [7.13] | Elastic
使用不同的CA:
Update security certificates with a different CA | Elasticsearch Guide [7.13] | Elastic
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。