{"id":1121,"date":"2020-12-14T12:36:36","date_gmt":"2020-12-14T03:36:36","guid":{"rendered":"http:\/\/leenux.kr\/?p=1121"},"modified":"2020-12-14T14:38:07","modified_gmt":"2020-12-14T05:38:07","slug":"elasticsearch-tls-%ec%95%94%ed%98%b8%ed%99%94-%eb%b0%8f-https-%ed%86%b5%ec%8b%a0-%ec%82%ac%ec%9a%a9","status":"publish","type":"post","link":"https:\/\/leenux.kr\/?p=1121","title":{"rendered":"[Elasticsearch, Kibana] TLS \uc554\ud638\ud654 \ubc0f HTTPS \ud1b5\uc2e0 \uc0ac\uc6a9"},"content":{"rendered":"\n

\uac15\uc758 \ub0b4\uc6a9\uc740 \uc11c\ubc84\uc758 SSH \ub610\ub294 \ud130\ubbf8\ub110 \uc811\uc18d localhost IP \uc0c1\ud0dc\uc5d0\uc11c \uc9c4\ud589\ud558\uaca0\uc2b5\ub2c8\ub2e4.<\/strong><\/p>\n\n\n\n

\ud604\uc7ac \ub77c\uc774\uc13c\uc2a4 \ud655\uc778<\/strong><\/p>\n\n\n\n

curl -X GET \"http:\/\/localhost:9200\/_xpack\/license\"<\/code><\/pre>\n\n\n\n
\"\"
\ubcc0\uacbd \uc804 : basic<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n
\ub77c\uc774\uc13c\uc2a4 \uae30\ubcf8\uc73c\ub85c \uc5c5\uadf8\ub808\uc774\ub4dc<\/strong><\/p>\n\n\n\n
curl -X POST \"http:\/\/localhost:9200\/_license\/start_trial?acknowledge=true&pretty\"<\/code><\/pre>\n\n\n\n
\"\"
\ubcc0\uacbd \ud6c4 type : trial<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n
Elasticsearch \uc11c\ube44\uc2a4 \uc911\ub2e8<\/strong><\/p>\n\n\n\n
systemctl stop elasticsearch<\/code><\/pre>\n\n\n\n
 \uc790\uccb4 \uc11c\uba85\ub41c \uc778\uc99d \uae30\uad00 \uc0dd\uc131 <\/strong><\/p>\n\n\n\n
\ubcf8 \uc608\uc81c\uc5d0\uc11c\ub294 \uc778\uc99d \uae30\uad00 \ube44\ubc00\ubc88\ud638 \uc5c6\uc774 \uc9c4\ud589\ud569\ub2c8\ub2e4.<\/strong><\/p>\n\n\n\n
\/usr\/share\/elasticsearch\/bin\/elasticsearch-certutil  ca<\/code><\/pre>\n\n\n\n
Elasticsearch \ub178\ub4dc\uc5d0 \ub300\ud55c \uc778\uc99d\uc11c \uc0dd\uc131<\/strong><\/p>\n\n\n\n
\/usr\/share\/elasticsearch\/bin\/elasticsearch-certutil cert --ca elastic-stack-ca.p12<\/code><\/pre>\n\n\n\n
\uc774\ub7f0 \uba85\ub839 \ucd9c\ub825\uc774 \ubc1c\uc0dd<\/strong><\/p>\n\n\n\n
This tool assists you in the generation of X.509 certificates and certificate\nsigning requests for use with SSL\/TLS in the Elastic stack.\n\nThe 'cert' mode generates X.509 certificate and private keys.\n    * By default, this generates a single certificate and key for use\n       on a single instance.\n    * The '-multiple' option will prompt you to enter details for multiple\n       instances and will generate a certificate and key for each one\n    * The '-in' option allows for the certificate generation to be automated by describing\n       the details of each instance in a YAML file\n\n    * An instance is any piece of the Elastic Stack that requires an SSL certificate.\n      Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats\n      may all require a certificate and private key.\n    * The minimum required value for each instance is a name. This can simply be the\n      hostname, which will be used as the Common Name of the certificate. A full\n      distinguished name may also be used.\n    * A filename value may be required for each instance. This is necessary when the\n      name would result in an invalid file or directory name. The name provided here\n      is used as the directory name (within the zip) and the prefix for the key and\n      certificate files. The filename is required if you are prompted and the name\n      is not displayed in the prompt.\n    * IP addresses and DNS names are optional. Multiple values can be specified as a\n      comma separated string. If no IP addresses or DNS names are provided, you may\n      disable hostname verification in your SSL configuration.\n\n    * All certificates generated by this tool will be signed by a certificate authority (CA).\n    * The tool can automatically generate a new CA for you, or you can provide your own with the\n         -ca or -ca-cert command line options.\n\nBy default the 'cert' mode produces a single PKCS#12 output file which holds:\n    * The instance certificate\n    * The private key for the instance certificate\n    * The CA certificate\n\nIf you specify any of the following options:\n    * -pem (PEM formatted output)\n    * -keep-ca-key (retain generated CA key)\n    * -multiple (generate multiple certificates)\n    * -in (generate certificates from an input file)\nthen the output will be be a zip file containing individual certificate\/key files\n\nEnter password for CA (elastic-stack-ca.p12) :\nPlease enter the desired output file [elastic-certificates.p12]:\nEnter password for elastic-certificates.p12 :\n\nCertificates written to \/usr\/share\/elasticsearch\/elastic-certificates.p12\n\nThis file should be properly secured as it contains the private key for\nyour instance.\n\nThis file is a self contained file and can be copied and used 'as is'\nFor each Elastic product that you wish to configure, you should copy\nthis '.p12' file to the relevant configuration directory\nand then follow the SSL configuration instructions in the product guide.\n\nFor client applications, you may only need to copy the CA certificate and\nconfigure the client to trust this certificate.<\/code><\/pre>\n\n\n\n
 \uc0ac\uc6a9 \uad8c\ud55c \uc124\uc815 <\/strong><\/p>\n\n\n\n
cp \/usr\/share\/elasticsearch\/elastic-certificates.p12 \/etc\/elasticsearch\/\nchown root.elasticsearch \/etc\/elasticsearch\/elastic-certificates.p12\nchmod 660 \/etc\/elasticsearch\/elastic-certificates.p12<\/code><\/pre>\n\n\n\n
HTTPS \ud1b5\uc2e0 \uc778\uc99d\uc11c \uc0dd\uc131<\/strong><\/p>\n\n\n\n
\/usr\/share\/elasticsearch\/bin\/elasticsearch-certutil  http<\/code><\/pre>\n\n\n\n
\uc9c4\ud589 \uc21c\uc11c<\/strong><\/p>\n\n\n\n
N -> y -> Enter -> N -> Enter -> Y -> Enter -> Y -> N -> Enter<\/code><\/pre>\n\n\n\n
\uc778\uc99d\uc11c \ubcf5\uc0ac \ud6c4 \uc124\uc815<\/strong><\/p>\n\n\n\n
cd \/usr\/share\/elasticsearch\nunzip elasticsearch-ssl-http.zip\ncp  \/usr\/share\/elasticsearch\/elasticsearch\/http.p12 \/etc\/elasticsearch\/\nchown root.elasticsearch \/etc\/elasticsearch\/http.p12\nchmod 660 \/etc\/elasticsearch\/http.p12<\/code><\/pre>\n\n\n\n
Elasticsearch \uc124\uc815 \ud30c\uc77c \uc5f4\uae30<\/strong><\/p>\n\n\n\n
vi \/etc\/elasticsearch\/elasticsearch.yml<\/code><\/pre>\n\n\n\n
\ub0b4\uc6a9 \uc218\uc815<\/strong><\/p>\n\n\n\n
#cluster.initial_master_nodes: [\"node-1\", \"node-2\"] # \uae30\uc874 node \uc124\uc815 \uc8fc\uc11d \ucc98\ub9ac\ncluster.initial_master_nodes: elasticsearch.local\nxpack.security.enabled: true\nxpack.security.transport.ssl.enabled: true\nxpack.security.transport.ssl.verification_mode: certificate\nxpack.security.transport.ssl.keystore.path: \/etc\/elasticsearch\/elastic-certificates.p12\nxpack.security.transport.ssl.truststore.path: \/etc\/elasticsearch\/elastic-certificates.p12\nxpack.security.http.ssl.enabled: true\nxpack.security.http.ssl.keystore.path: \/etc\/elasticsearch\/http.p12<\/code><\/pre>\n\n\n\n
Elasticsearch \uc11c\ube44\uc2a4 \uc2dc\uc791<\/strong><\/p>\n\n\n\n
systemctl start elasticsearch<\/code><\/pre>\n\n\n\n
Elasticsearch \uae30\ubcf8 \uc81c\uacf5 \uc0ac\uc6a9\uc790 \ube44\ubc00\ubc88\ud638 \uc124\uc815<\/strong><\/p>\n\n\n\n
\/usr\/share\/elasticsearch\/bin\/elasticsearch-setup-passwords interactive<\/code><\/pre>\n\n\n\n
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.\nYou will be prompted to enter passwords as the process progresses.\nPlease confirm that you would like to continue [y\/N]y\n\n\nEnter password for [elastic]:\nReenter password for [elastic]:\nEnter password for [apm_system]:\nReenter password for [apm_system]:\nEnter password for [kibana]:\nReenter password for [kibana]:\nEnter password for [logstash_system]:\nReenter password for [logstash_system]:\nEnter password for [beats_system]:\nReenter password for [beats_system]:\nEnter password for [remote_monitoring_user]:\nReenter password for [remote_monitoring_user]:\nChanged password for user [apm_system]\nChanged password for user [kibana]\nChanged password for user [logstash_system]\nChanged password for user [beats_system]\nChanged password for user [remote_monitoring_user]\nChanged password for user [elastic]<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
curl --insecure -X GET \"https:\/\/localhost:9200\/?pretty\"<\/code><\/pre>\n\n\n\n
\uc5d0\ub7ec \ubc1c\uc0dd<\/strong><\/p>\n\n\n\n
{\n  \"error\" : {\n    \"root_cause\" : [\n      {\n        \"type\" : \"security_exception\",\n        \"reason\" : \"missing authentication credentials for REST request [\/?pretty]\",\n        \"header\" : {\n          \"WWW-Authenticate\" : \"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"\n        }\n      }\n    ],\n    \"type\" : \"security_exception\",\n    \"reason\" : \"missing authentication credentials for REST request [\/?pretty]\",\n    \"header\" : {\n      \"WWW-Authenticate\" : \"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"\n    }\n  },\n  \"status\" : 401\n}\n\n# \ud574\uc11d : \uc0ac\uc6a9\uc790 \uc778\uc99d\uc774 \ud544\uc694\ud569\ub2c8\ub2e4<\/code><\/pre>\n\n\n\n
Elasticsearch \uc11c\ubc84\uc5d0 \ub4f1\ub85d\ub418\uc5b4 \uc788\ub294 \uc0ac\uc6a9\uc790 \uc778\uc99d \ud544\uc694<\/strong><\/p>\n\n\n\n
curl --user elastic --insecure -X GET \"https:\/\/localhost:9200\/?pretty\"<\/code><\/pre>\n\n\n\n
\uc5d0\ub7ec \ubc1c\uc0dd<\/strong><\/p>\n\n\n\n
Your private key(s) will be stored in a PKCS#12 keystore file named \"http.p12\".\nThis type of keystore is always password protected, but it is possible to use a\nblank password.\n\n# \ud574\uc11d : \uc0ac\uc6a9\uc790 \ube44\ubc00\ubc88\ud638\ub97c \uc785\ub825\ud558\uc138\uc694<\/code><\/pre>\n\n\n\n
\uc0ac\uc6a9\uc790:\ube44\ubc00\ubc88\ud638 \uc785\ub825<\/strong><\/p>\n\n\n\n
curl --user elastic:\ube44\ubc00\ubc88\ud638 --insecure -X GET \"https:\/\/localhost:9200\/?pretty\"<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n
Kibana \uc124\uc815<\/strong><\/p>\n\n\n\n
Kibana \uc11c\ube44\uc2a4 \uc911\ub2e8<\/strong><\/p>\n\n\n\n
systemctl stop kibana.service<\/code><\/pre>\n\n\n\n
\ud0a4\ubc14\ub098 <\/strong><\/p>\n\n\n\n
cp  \/usr\/share\/elasticsearch\/kibana\/elasticsearch-ca.pem \/etc\/kibana\/<\/code><\/pre>\n\n\n\n
 \uc790\uccb4 \uc11c\uba85\ub41c \uc778\uc99d \uae30\uad00 \uc778\uc99d\uc11c\ub97c \ubcf5\uc0ac <\/strong><\/p>\n\n\n\n
vi \/etc\/kibana\/kibana.yml<\/code><\/pre>\n\n\n\n
\ub0b4\uc6a9 \uc218\uc815<\/strong><\/p>\n\n\n\n
elasticsearch.hosts: [\"https:\/\/localhost:9200\"] # \ubcc0\uacbd\ub41c elasticsearch https \ud1b5\uc2e0\nelasticsearch.username: \"kibana\"\nelasticsearch.password: \"\ube44\ubc00\uba3c\ud638\"\nelasticsearch.ssl.certificateAuthorities: [ \"\/etc\/kibana\/elasticsearch-ca.pem\" ]\nelasticsearch.ssl.verificationMode: none<\/code><\/pre>\n\n\n\n
Kibana \uc11c\ube44\uc2a4 \uc2dc\uc791<\/strong><\/p>\n\n\n\n
systemctl start elasticsearch<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Elasticsearch, Kibana\uc5d0 TLS \uc554\ud638\ud654\uc640 HTTPS \ud1b5\uc2e0 \uc124\uc815\uc5d0 \ub300\ud574 \ud574\ubcf4\uc558\uc2b5\ub2c8\ub2e4. <\/strong> \uc218\uace0\ud558\uc168\uc2b5\ub2c8\ub2e4<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"
\uac15\uc758 \ub0b4\uc6a9\uc740 \uc11c\ubc84\uc758 SSH \ub610\ub294 \ud130\ubbf8\ub110 \uc811\uc18d localhost IP \uc0c1\ud0dc\uc5d0\uc11c \uc9c4\ud589\ud558\uaca0\uc2b5\ub2c8\ub2e4. \ud604\uc7ac […]<\/p>\n","protected":false},"author":1,"featured_media":1130,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[29,28],"tags":[],"_links":{"self":[{"href":"https:\/\/leenux.kr\/index.php?rest_route=\/wp\/v2\/posts\/1121"}],"collection":[{"href":"https:\/\/leenux.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/leenux.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/leenux.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/leenux.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1121"}],"version-history":[{"count":4,"href":"https:\/\/leenux.kr\/index.php?rest_route=\/wp\/v2\/posts\/1121\/revisions"}],"predecessor-version":[{"id":1132,"href":"https:\/\/leenux.kr\/index.php?rest_route=\/wp\/v2\/posts\/1121\/revisions\/1132"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/leenux.kr\/index.php?rest_route=\/wp\/v2\/media\/1130"}],"wp:attachment":[{"href":"https:\/\/leenux.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1121"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/leenux.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1121"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/leenux.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}