Menurut dokumen konfigurasi TLS, untuk menghasilkan sertifikat untuk TLS untuk Elasticsearch 7.1, Anda menjalankan:

elasticsearch-certutil ca
elasticsearch-certutil cert --ca elastic-stack-ca.p12

Terkait: Mengaktifkan TLS di Elasticsearch

Sertifikat diperlukan untuk mengaktifkan TLS melalui REST API.

Namun, perintah di atas memerlukan interaksi manusia (menekan Enter).

Bagaimana cara menghasilkan sertifikat di atas secara non-interaktif?

3
kenorb 14 Agustus 2019, 16:02

1 menjawab

Jawaban Terbaik

Berikut adalah perintah yang bekerja untuk saya:

cd /usr/share/elasticsearch
sudo mkdir -v certs
sudo ./bin/elasticsearch-certutil ca --out certs/elastic-stack-ca.p12 --pass ""
sudo ./bin/elasticsearch-certutil cert --ca certs/elastic-stack-ca.p12 --ca-pass "" --out certs/elastic-certificates.p12 --pass ""

Dan buku pedoman Ansible:

---
- name: Create a certificate directory
  file:
    owner: root
    group: '{{ elasticsearch_user_group }}'
    mode: u=rwx,g+rx,o-rwx
    path: '{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}'
    state: directory
  when: elasticsearch_tls_cert_dir is defined
- name: Check a certificate of authority
  stat:
    path: "{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}/elastic-stack-ca.p12"
  register: elastic_stack_ca_file
- name: Generate a certificate of authority
  args:
    chdir: '{{ elasticsearch_path_etc }}'
  become: yes
  command: "'{{ elasticsearch_path_home }}'/bin/elasticsearch-certutil ca --out '{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}'/elastic-stack-ca.p12 --pass '{{ elasticsearch_tls_cert_pass }}'"
  when: not elastic_stack_ca_file.stat.exists
- name: Check a certificate and private key for a node
  stat:
    path: "{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}/elastic-certificates.p12"
  register: elastic_certificates_file
- name: Generate a certificate and private key for a node
  args:
    chdir: '{{ elasticsearch_path_etc }}'
  become: yes
  command: "'{{ elasticsearch_path_home }}'/bin/elasticsearch-certutil cert --ca '{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}'/elastic-stack-ca.p12 --ca-pass '{{ elasticsearch_tls_cert_pass }}' --out '{{ elasticsearch_path_etc }}/{{ elasticsearch_tls_cert_dir }}'/elastic-certificates.p12 --pass '{{ elasticsearch_tls_cert_ca_pass }}'"
  when: elastic_stack_ca_file.stat.exists and not elastic_certificates_file.stat.exists

Di mana variabel default dapat didefinisikan sebagai:

elasticsearch_http_port: 9200
elasticsearch_path_home: "/usr/share/elasticsearch"
elasticsearch_path_etc: "/etc/elasticsearch"
elasticsearch_tls_cert_ca_pass: ""
elasticsearch_tls_cert_pass: ""
elasticsearch_tls_cert_dir: "certs"
elasticsearch_user: "elasticsearch"
elasticsearch_user_group: "elasticsearch"

Instruksi lebih lanjut:

6
kenorb 15 Agustus 2019, 12:37