Hey guys.
I'm using ECK v1.0.0-beta1 on Kubernetes and my self-signed SSL certificates(the ones from the all-in-one,yml) have expired.
As per the documentation, I've read that they should auto renew 24h prior to expiring but they haven't.
Is there any way to manually renew these certificates as logstash and kibana cannot connect to my es-cluster because of the expired certificates?
Cheers,
Radu
Hey @radw, thanks for your question.
That in itself sounds like a bug. 1.0.0-beta1 is fairly old version (just over 1 year old), did you consider upgrading to the latest?
To address your issue right now - can you check whether it's your CA or certificates signed by it expired? All certificates are stored as secrets so you can do kubectl get secret -l elasticsearch.k8s.elastic.co/cluster-name=quickstart to list the ones for your cluster (substitute quickstart with your cluster name).
Then check whether CAs are expired by running (again substitute your cluster name):
kubectl get secret -o jsonpath='{.data.tls\.crt}' quickstart-es-http-ca-internal | base64 -D | openssl x509 -enddate -noout
kubectl get secret -o jsonpath='{.data.tls\.crt}' quickstart-es-transport-ca-internal | base64 -D | openssl x509 -enddate -noout
If the above certs are expired, you can delete them. ECK will create new ones.
If they are not expired, confirm that the other certs (e.g. quickstart-es-http-certs-internal, quickstart-es-transport-certificates and quickstart-es-transport-certs-public) are expired. If yes, then delete them. ECK will create new ones.
If Kibana was connected using kibanaRef it will just work, but for Logstash you will need to update the trusted CA if ECK regenerates it.
Let me know if you run into any issues.
Hey @dkow
Checking the certificates I can see that the internal ones are valid and have updated at the right time but kibana, for some reason could not take into consideration the new certificates.
I did manage to get the new CA by using your indications.
I've had to delete the kibana service and recreate to use the new certificates.
Should I upgrade the operator to the latest version, will I need to redo services/deployments or should this thing only upgrade the operator and leave all the other resources in place?
For example, I don't want to upgrade my ELK version.
Thank you for your support!
Hey @radw, I'm glad you got it working.
Should I upgrade the operator to the latest version, will I need to redo services/deployments or should this thing only upgrade the operator and leave all the other resources in place?
For example, I don't want to upgrade my ELK version.
It will only upgrade the operator. The Pods of Elasticsearch and Kibana might go through a coordinated, gradual restart as per our docs, but this will not remove the resources and this will not change their versions.