Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: b2e196fe91
Branches Tags
elasticsearch
/
docs
/
reference
/
setup
/
install
/
connect-clients.asciidoc

connect-clients.asciidoc 2.0 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950 
  1. ==== Connect clients to {es}
    2. 

  2. 

  3. When you start {es} for the first time, TLS is configured automatically for the 
    4. 

  4. HTTP layer. A CA certificate is generated and stored on disk, and the hex-coded 
    5. 

  5. SHA-256 fingerprint of this certificate is also output to the terminal. Any 
    6. 

  6. clients that connect to {es}, such as the 
    7. 

  7. https://www.elastic.co/guide/en/elasticsearch/client/index.html[{es} Clients],
    8. 

  8. {beats}, {ls}, and {fleet} must validate that they trust the certificate that
    9. 

  9. {es} uses for HTTPS. Clients can establish trust by using either the fingerprint
    10. 

  10. of the CA certificate or the CA certificate itself.
    11. 

  11. 

  12. If the auto-configuration process already completed, you can still obtain the 
    13. 

  13. fingerprint of the security certificate. You can also copy the CA certificate
    14. 

  14. to your machine and configure your client to use it.
    15. 

  15. 

  16. [discrete]
    17. 

  17. ===== Use the CA fingerprint
    18. 

  18. 

  19. Copy the fingerprint value that's output to your terminal when {es} starts, and
    20. 

  20. configure your client to use this fingerprint to establish trust when it
    21. 

  21. connects to {es}.
    22. 

  22. 

  23. If the auto-configuration process already completed, you can still obtain the
    24. 

  24. fingerprint of the security certificate by running the following command. The 
    25. 

  25. path is to the auto-generated CA certificate for the HTTP layer.
    26. 

  26. 

  27. [source,sh]
    28. 

  28. ----
    29. 

  29. openssl x509 -fingerprint -sha256 -in config/certs/http_ca.crt
    30. 

  30. ----
    31. 

  31. 

  32. `<timestamp>`:: The timestamp of when the auto-configuration process created the security files directory.
    33. 

  33. 

  34. The command returns the security certificate, including the fingerprint.
    35. 

  35. The `issuer` should be `Elasticsearch security auto-configuration HTTP CA`.
    36. 

  36. 

  37. [source,sh]
    38. 

  38. ----
    39. 

  39. issuer= /CN=Elasticsearch security auto-configuration HTTP CA
    40. 

  40. SHA256 Fingerprint=<fingerprint>
    41. 

  41. ----
    42. 

  42. 

  43. [discrete]
    44. 

  44. ===== Use the CA certificate
    45. 

  45. 

  46. If your library doesn't support a method of validating the fingerprint, the 
    47. 

  47. auto-generated CA certificate is created in the
    48. 

  48. `config/certs` directory on each {es} node. Copy the
    49. 

  49. `http_ca.crt` file to your machine and configure your client to use this
    50. 

  50. certificate to establish trust when it connects to {es}.
    51.