参考：https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup-https.html

https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-passwords.html

在生成环境中，如果你没有配置 HTTPS 连接，某些 Elasticsearch 功能（比如令牌和 API 密钥）将被禁用，该安全层确保所有进出集群的通信都是安全的，HTTPS 配置建立在“传输层TLS安全配置之上” ，所以它要求你的集群已经配置了传输层安全配置。

生成证书

同样的，也是使用 elasticsearch-certutil 工具来生成证书。

1. 生成根证书

$ elasticsearch-certutil ca

2. 生成节点证书

[root@1834deb24be8 bin]# elasticsearch-certutil http

## Elasticsearch HTTP Certificate Utility

The 'http' command guides you through the process of generating certificates
for use on the HTTP (Rest) interface for Elasticsearch.

This tool will ask you a number of questions in order to generate the right
set of files for your needs.

## Do you wish to generate a Certificate Signing Request (CSR)?

A CSR is used when you want your certificate to be created by an existing
Certificate Authority (CA) that you do not control (that is, you don't have
access to the keys for that CA). 

If you are in a corporate environment with a central security team, then you
may have an existing Corporate CA that can generate your certificate for you.
Infrastructure within your organisation may already be configured to trust this
CA, so it may be easier for clients to connect to Elasticsearch if you use a
CSR and send that request to the team that controls your CA.

If you choose not to generate a CSR, this tool will generate a new certificate
for you. That certificate will be signed by a CA under your control. This is a
quick and easy way to secure your cluster with TLS, but you will need to
configure all your clients to trust that custom CA.

Generate a CSR? [y/N]n

## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?

If you have an existing CA certificate and key, then you can use that CA to
sign your new http certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.

If you do not have an existing CA, one will be generated for you.

Use an existing CA? [y/N]y

## What is the path to your CA?

Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.
CA Path: /usr/share/elasticsearch/elastic-stack-ca.p12
Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,
in which case you can simply press <ENTER> at the prompt
Password for elastic-stack-ca.p12:

## How long should your certificates be valid?

Every certificate has an expiry date. When the expiry date is reached clients
will stop trusting your certificate and TLS connections will fail.

Best practice suggests that you should either:
(a) set this to a short duration (90 - 120 days) and have automatic processes
to generate a new certificate before the old one expires, or
(b) set it to a longer duration (3 - 5 years) and then perform a manual update
a few months before it expires.

You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)

For how long should your certificate be valid? [5y] 

## Do you wish to generate one certificate per node?

If you have multiple nodes in your cluster, then you may choose to generate a
separate certificate for each of these nodes. Each certificate will have its
own private key, and will be issued for a specific hostname or IP address.

Alternatively, you may wish to generate a single certificate that is valid
across all the hostnames or addresses in your cluster.

If all of your nodes will be accessed through a single domain
(e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it
simpler to generate one certificate with a wildcard hostname (*.es.example.com)
and use that across all of your nodes.

However, if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate new certificates when
you provision new nodes.

Generate a certificate per node? [y/N]

## Which hostnames will be used to connect to your nodes?

These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.

You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.

If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.

Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.


You did not enter any hostnames.
Clients are likely to encounter TLS hostname verification errors if they
connect to your cluster using a DNS name.

Is this correct [Y/n]

## Which IP addresses will be used to connect to your nodes?

If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.

If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.

Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.


You did not enter any IP addresses.

Is this correct [Y/n]

## Other certificate options

The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.

Key Name: elasticsearch
Subject DN: CN=elasticsearch
Key Size: 2048

Do you wish to change any of these options? [y/N]n

## What password do you want for your private key(s)?

Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.

If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12" file:  [<ENTER> for none]

## Where should we save the generated files?

A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.

These files will be included in a single zip archive.

What filename should be used for the output zip file? [/usr/share/elasticsearch/elasticsearch-ssl-http.zip] 

Zip file written to /usr/share/elasticsearch/elasticsearch-ssl-http.zip

• Generate a CSR? [y/N]n：是否生成 CSR，输入 n
• Use an existing CA? [y/N]y：用已经存在的根证书，输入 y
• CA Path: /usr/share/elasticsearch/elastic-stack-ca.p12：输入根证书的绝对路径
• Password for elastic-stack-ca.p12：输入根证书的密码
• For how long should your certificate be valid? [5y] ：证书有效期，默认为 5y（5年）
• Generate a certificate per node? [y/N]：是否为每一个节点都生成证书
• Enter all the hostnames that you need, one per line.：输入集群中节点的主机名，回车两次跳过即可
• Enter all the IP addresses that you need, one per line.：输入集群中节点的IP地址，回车两次跳过即可
• Do you wish to change any of these options? [y/N]n：是否要改变选项，输入 n
• Provide a password for the “http.p12” file: [ for none]：输入私钥 http.p12 的密码，回车不设置密码
• What filename should be used for the output zip file? ：输出的压缩文件的文件名

最后在 $ES_HOME 目录下会生成一个 elasticsearch-ssl-http.zip 压缩文件，这个压缩文件包含一个用于 Elasticsearch 和 Kibana 的目录

/elasticsearch
|_ README.txt
|_ http.p12
|_ sample-elasticsearch.yml

/kibana
|_ README.txt
|_ elasticsearch-ca.pem
|_ sample-kibana.yml

Elasticsearch配置HTTPS证书

在集群中的每一个节点上，完成以下步骤：

1. 将 http.p12 证书复制到 $ES_HOME_CONF 目录下
2. 编辑 elasticsearch.yml 文件以启用 HTTPS 安全并指定 http.p12 安全证书的位置

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12

3. 如果私钥设置了密码，将你私钥的密码添加到 Elasticsearch 的安全设置中

./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

4. 启动 Elasticsearch

Kibana配置HTTPS证书

当你使用 http 参数运行 elasticsearch-certutil 工具时，它会创建一个 kibana 目录包含 elasticsearch-ca.pem 文件，你可以使用此文件将 Kibana 配置为信任 HTTP 层的 Elasticsearch CA。

1. 将 elasticsearch-ca.pem 为你文件复制到由 $KBN_PATH_CONF 路径定义的 Kibana 配置目录
2. 打开 kibana.yml 并添加以下行以指定 HTTP 层的安全证书的位置

elasticsearch.ssl.certificateAuthorities: $KBN_PATH_CONF/elasticsearch-ca.pem

3. 在配置文件中添加下面的行来为指定你的 ES 集群的 HTTPS URL

elasticsearch.hosts: https://<your_elasticsearch_host>:9200

4. 重启 Kibana

修改后的配置文件

docker-compose.yml

version: '2.2'
services: 
  es01:
    image: elasticsearch:7.14.1
    container_name: es01
    environment:
      - node.name=es01
      - discovery.seed_hosts=es02
      - cluster.initial_master_nodes=es01,es02
      - cluster.name=docker-cluster
      #开启内存锁定检查
      - bootstrap.memory_lock=true
      #限制堆大小
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      #开启安全功能
      - xpack.security.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.client_authentication=required
      - xpack.security.transport.ssl.keystore.path=elastic-certificates.p12
      - xpack.security.transport.ssl.truststore.path=elastic-certificates.p12
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.keystore.path=http.p12
      - xpack.security.http.ssl.truststore.path=http.p12
      #注意这里，默认是full,会校验主机名，如果在生成证书的时候没有设置主机名，这里改成certificate
      - xpack.security.http.ssl.verification_mode=certificate
    volumes:
      - /root/work/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
      - /root/work/cert/https/elasticsearch/http.p12:/usr/share/elasticsearch/config/http.p12
    #内存锁定
    ulimits: 
      memlock:
        soft: -1
        hard: -1
  es02:
    image: elasticsearch:7.14.1
    container_name: es02
    environment:
      - node.name=es02
      - discovery.seed_hosts=es01
      - cluster.initial_master_nodes=es01,es02
      - cluster.name=docker-cluster
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.security.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate 
      - xpack.security.transport.ssl.client_authentication=required
      - xpack.security.transport.ssl.keystore.path=elastic-certificates.p12
      - xpack.security.transport.ssl.truststore.path=elastic-certificates.p12
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.keystore.path=http.p12
      - xpack.security.http.ssl.truststore.path=http.p12
      #注意这里，默认是full,会校验主机名，如果在生成证书的时候没有设置主机名，这里改成certificate
      - xpack.security.http.ssl.verification_mode=certificate
    volumes:
      - /root/work/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
      - /root/work/cert/https/elasticsearch/http.p12:/usr/share/elasticsearch/config/http.p12
    ulimits:
      memlock:
        soft: -1
        hard: -1
  kibana:
    image: kibana:7.14.1
    container_name: kibana
    environment:
      - SERVER_NAME=kibana.localhost
      - ELASTICSEARCH_HOSTS=https://es01:9200
      - I18N_LOCALE=zh-CN
      - ELASTICSEARCH_USERNAME=elastic
      - ELASTICSEARCH_PASSWORD="123123"
      - XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY="fhjskloppd678ehkdfdlliverpoolfcr"
      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/elasticsearch-ca.pem
      #注意这里，如果是full,会校验主机名，如果在生成证书的时候没有设置主机名，这里改成certificate
      - ELASTICSEARCH_SSL_VERIFICATIONMODE=certificate
    volumes:
     - /root/work/cert/https/kibana/elasticsearch-ca.pem:/usr/share/kibana/config/elasticsearch-ca.pem
    ports:
      - 5601:5601
    depends_on:
      - es01

启动

docker-compose up -d

启动之后要设置 Elasticsearch 集群的用户名和密码

进入 es01 中的 bin 目录下

elasticsearch-setup-password interactive

将密码设置为 kibana 配置文件中设置的密码

然后访问 Kibana 后可以看到连接成功。