Hi,
We have a cluster in which we have enabled TLS security. To enable the security we used the elastic cert utility to generate the cert and CA. While generation of the certs or the CA any of the prompts did not ask us about the Hostnames or IP. We generated just one certificate and used that cert in all the nodes. Now the machines are moving to new IP and we are confused if the previous cert which is working now will work or not. Are the certs generated with elasticsearch cert-util are bound by IP/Hostname?
Will there be any changes with respect to already generated passwords which were generated using elasticsearch-setup-passwords?
Any update regarding this
What version are you on? (please always include that)
Yes assuming you used the default process, it is not clear exactly how you created them but yes. You will need to create new certs.
You can create them again manually from the new hosts and / or use an instances.yml
There should not be ... people rotate / apply new certs as part of normal maintenance, which does not change the Authentication.
Thanks for the reply we are using elasticsearch version 8.15.1
We generated the certificates using the elasticsearch-certutil using the CA mode.
Using that we generated single CA and single Certificate which we used in each and every node in our cluster and till now faced no issue. In the CA mode certificate generation it did not ask the IP or the DNS info for any machine.
We have followed this approach in this while creating initial CA and Certificate. It does not ask for IP or hostname. So will the same certificate work when the IP for the hosts of the cluster will change?
This documentation does not include the instances.yml file related steps in which we used to generate certs for every instance using docker. Is that approach obsolete?
Yes but it determines the hostname automatically and thus ties the certificate to the hostname it you can see that if you run a curl -v or looks at the certificate
or get the truststore password
./bin/elasticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password
then look at the cert
$ openssl pkcs12 -in transport.p12 -clcerts -nokeys
Enter Import Password: <<< PASSWORD FROM ABOVE
Bag Attributes
friendlyName: transport
localKeyID: 54 69 6D 65 20 31 37 34 33 30 31 36 37 35 35 32 36 34
subject=CN=hyperion. <<< HERE HOSTNAME CERT IS BOUND TO
issuer=CN=Elasticsearch security auto-configuration transport CA
Look for IPs or SubjectAltName etc...
No the original method is valid, I was showing you options
In short you need to regenerate the certs ...
I am not specifically sure why if you ONLY changed the IPs why they original certs are not working but I would regenerate them. Looks at the certs and determine.
This is "cert stuff" ...yeah ugh... but elasticsearch does not really do anything special
Hi Stephen,
We tried it with the same old certificate and it worked. I guess the steps followed in the above doc does not bound the certificate with IP/Host, because it is mentioned to generate one certificate and copy it to other nodes in the cluster.
Hmmm my test showed bound to host name using the default method.
Just to help me out can you show me where it says create one cert and copy to all the nodes?
In this doc in the step 2 :
On any single node, generate a certificate and private key for the nodes in your cluster. You include the elastic-stack-ca.p12 output file that you generated in the previous step.
And in step 3 :
On every node in your cluster, copy the
elastic-certificates.p12file to the$ES_PATH_CONFdirectory.
Is my interpretation correct or am I understanding it wrong ?
Nope you are correct for transport ..
For http interface they are bound to hostname and IP
That was my confusion, apologies
Are you still having issues?
I have created certi on A cluster and have used on completely different cluster on different network segment and it works.
Oh i see,
No we are not facing any issues thanks.