Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 648d80e517
Branches Tags
elasticsearch
/
docs
/
reference
/
setup
/
install
/
connect-clients.asciidoc

connect-clients.asciidoc 2.3 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465 
  1. ==== Connect clients to {es}
    2. 

  2. // This file is reused in each of the installation pages. Ensure that any changes
    3. 

  3. // you make to this file are applicable across all installation environments.
    4. 

  4. 

  5. When you start {es} for the first time, TLS is configured automatically for the
    6. 

  6. HTTP layer. A CA certificate is generated and stored on disk at:
    7. 

  7. 

  8. [source,sh,subs="attributes"]
    9. 

  9. ----
    10. 

  10. {es-conf}{slash}certs{slash}http_ca.crt
    11. 

  11. ----
    12. 

  12. 

  13. The hex-encoded SHA-256 fingerprint of this
    14. 

  14. certificate is also output to the terminal. Any clients that connect to {es},
    15. 

  15. such as the 
    16. 

  16. https://www.elastic.co/guide/en/elasticsearch/client/index.html[{es} Clients],
    17. 

  17. {beats}, standalone {agent}s, and {ls} must validate that they trust the
    18. 

  18. certificate that {es} uses for HTTPS. {fleet-server} and {fleet}-managed
    19. 

  19. {agent}s are automatically configured to trust the CA certificate.
    20. 

  20. Other clients can establish trust by using either the fingerprint of the CA
    21. 

  21. certificate or the CA certificate itself.
    22. 

  22. 

  23. If the auto-configuration process already completed, you can still obtain the 
    24. 

  24. fingerprint of the security certificate. You can also copy the CA certificate
    25. 

  25. to your machine and configure your client to use it.
    26. 

  26. 

  27. [discrete]
    28. 

  28. ===== Use the CA fingerprint
    29. 

  29. 

  30. Copy the fingerprint value that's output to your terminal when {es} starts, and
    31. 

  31. configure your client to use this fingerprint to establish trust when it
    32. 

  32. connects to {es}.
    33. 

  33. 

  34. If the auto-configuration process already completed, you can still obtain the
    35. 

  35. fingerprint of the security certificate by running the following command. The 
    36. 

  36. path is to the auto-generated CA certificate for the HTTP layer.
    37. 

  37. 

  38. [source,sh]
    39. 

  39. ----
    40. 

  40. openssl x509 -fingerprint -sha256 -in config/certs/http_ca.crt
    41. 

  41. ----
    42. 

  42. 

  43. The command returns the security certificate, including the fingerprint.
    44. 

  44. The `issuer` should be `Elasticsearch security auto-configuration HTTP CA`.
    45. 

  45. 

  46. [source,sh]
    47. 

  47. ----
    48. 

  48. issuer= /CN=Elasticsearch security auto-configuration HTTP CA
    49. 

  49. SHA256 Fingerprint=<fingerprint>
    50. 

  50. ----
    51. 

  51. 

  52. [discrete]
    53. 

  53. ===== Use the CA certificate
    54. 

  54. 

  55. If your library doesn't support a method of validating the fingerprint, the 
    56. 

  56. auto-generated CA certificate is created in the following directory on each {es}
    57. 

  57. node:
    58. 

  58. 

  59. [source,sh,subs="attributes"]
    60. 

  60. ----
    61. 

  61. {es-conf}{slash}certs{slash}http_ca.crt
    62. 

  62. ----
    63. 

  63. 

  64. Copy the `http_ca.crt` file to your machine and configure your client to use this
    65. 

  65. certificate to establish trust when it connects to {es}.
    66.