[리눅스] elasticsearch TLS 암호화 및 HTTPS 활성화

elasticsearch TLS 암호화 및 HTTPS 활성화

elasticsearch tls 통신을 위한 인증서

elasticsearch https 통신을 위한 인증서

/usr/share/elasticsearch/bin/elasticsearch-certutil http --silent

$ /usr/share/elasticsearch/bin/elasticsearch-certutil http --silent
## Elasticsearch HTTP Certificate Utility
## Do you wish to generate a Certificate Signing Request (CSR)?
Generate a CSR? [y/N]y
## Do you wish to generate one certificate per node?
Generate a certificate per node? [y/N]N
## Which hostnames will be used to connect to your nodes?
localhost
es01
es02
es03
kibana

You entered the following hostnames.

 - localhost
 - es01
 - es02
 - es03
 - kibana
Is this correct [Y/n]y
## Which IP addresses will be used to connect to your nodes?
127.0.0.1
1.1.1.1
2.2.2.2
3.3.3.3

You entered the following IP addresses.

 - 127.0.0.1
 - 1.1.1.1
 - 2.2.2.2
 - 3.3.3.3
Is this correct [Y/n]y
## Other certificate options
Key Name: localhost
Subject DN: CN=localhost
Key Size: 2048

Do you wish to change any of these options? [y/N]N
## What password do you want for your private key(s)?
Provide a password for the private key:  [<ENTER> for none]
## Where should we save the generated files?
What filename should be used for the output zip file? [/usr/share/elasticsearch/elasticsearch-ssl-http.zip]

cd /usr/share/elasticsearch

unzip elasticsearch-ssl-http.zip

cd elasticsearch

$ ls -l
total 16
-rw-r--r-- 1 root root 1070 Jul  5 11:04 http-localhost.csr
-rw-r--r-- 1 root root 1679 Jul  5 11:04 http-localhost.key
-rw-r--r-- 1 root root 2444 Jul  5 11:04 README.txt
-rw-r--r-- 1 root root 1179 Jul  5 11:04 sample-elasticsearch.yml

cat sample-elasticsearch.yml

$ cat sample-elasticsearch.yml
#
# SAMPLE ELASTICSEARCH CONFIGURATION FOR ENABLING SSL ON THE HTTP INTERFACE
#
# This is a sample configuration snippet for Elasticsearch that enables and configures SSL for the HTTP (Rest) interface
#
# This was automatically generated at: 2022-07-05 11:04:25+09:00
# This configuration was intended for Elasticsearch version 8.3.1
#
# You should review these settings, and then update the main configuration file at
#   /etc/elasticsearch/elasticsearch.yml
#

# This turns on SSL for the HTTP (Rest) interface
xpack.security.http.ssl.enabled: true

# This configures the certificate to use.
# This certificate will be generated by your Certificate Authority, based on the CSR that you sent to them.
xpack.security.http.ssl.certificate: "http-localhost.crt"

# This configures the private key for your certificate.
xpack.security.http.ssl.key: "http-localhost.key"

# If your Certificate Authorities provides you with a copy of their certificate you can configure it here.
# This is not strictly necessary, but can make it easier when running other elasticsearch utilities such as the "setup-passwords" tool.
#
#xpack.security.http.ssl.certificate_authorities: [ "ca.crt" ]
#