Elasticsearch7.1.1 配置密码和SSL证书

 生成SSL证书

./elasticsearch-certutil ca -out config/certs/elastic-certificates.p12 -pass

 我这里没有设置ssl证书密码，如果需要设置密码，需要再配置给elasticsearch

在之前的步骤中，如果我们对elastic-certificates.p12 文件配置了密码，需要配置密码。输入密码：生成密钥步骤设置的密码

bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

配置验证

elasticsearch.yml

config目录里，编辑elasticsearch.yml文件，增加下面配置

# 配置X-Pack
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true


# 证书配置
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

重启elasticsearch服务

设置密码

bin/elasticsearch-setup-passwords interactive

为每个elasticsearch用户输入两次密码，

登录验证

浏览器直接访问http://127.0.0.1:9200,会出现输入用户名、密码的弹窗，输入elastic和密码后，才能看到elasticsearch信息；

*如果密码忘了怎么办？如何重置密码？

1、修改elasticsearch.yml 配置，将身份验证相关配置屏蔽掉；

2、重启ES,查看下索引,发现多了一个.security-7索引，将其删除

3、到此就回到ES没有设置密码的阶段了，如果想重新设置密码，请从第一步开始

相关问题

x-pack 密钥配置问题

[2021-11-18T09:14:10,976][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [es02] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]
  at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-7.4.2.jar:7.4.2]
  at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-7.4.2.jar:7.4.2]
  at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-7.4.2.jar:7.4.2]
  at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:125) ~[elasticsearch-cli-7.4.2.jar:7.4.2]
  at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-7.4.2.jar:7.4.2]
  at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) ~[elasticsearch-7.4.2.jar:7.4.2]
  at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-7.4.2.jar:7.4.2]
Caused by: java.io.IOException: keystore password was incorrect
  at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2118) ~[?:?]
  at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222) ~[?:?]
  at java.security.KeyStore.load(KeyStore.java:1472) ~[?:?]
  at org.elasticsearch.xpack.core.ssl.TrustConfig.getStore(TrustConfig.java:97) ~[?:?]
  at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:65) ~[?:?]
  at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:384) ~[?:?]
  at java.util.HashMap.computeIfAbsent(HashMap.java:1138) ~[?:?]
  ... 6 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
  at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2118) ~[?:?]
  at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222) ~[?:?]
  at java.security.KeyStore.load(KeyStore.java:1472) ~[?:?]
  ... 6 more

 解决办法：

1：可能是elastic-certificates.p12文件归属权不属于es账号所拥有

#执行以下语句，把整个目录的归属权给es账号
chown -R es:es /usr/local/huaxing/elasticsearch-7.4.2-8200
chmod 777 elastic-certificates.p12
2：若是上述问题还没解决，那可能是在生成密钥时设置了密码，需要执行以下命令。弹出提示输入密码就是在生成密钥时设置的密码

./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password