Change the Certificate

we have an Elasticsearch cluster with the version "7.17.5"
The certificate has expired. I have renewed the certificate but somehow the cluster does not accept the certificate. It still has the old certificate because the error in the logs refers to the date of the old certificate.
the configuration of the cluster is:

bootstrap.memory_lock: true
cluster.initial_master_nodes:

  • gl-vn01-es.
  • gl-vn02-es
    cluster.name: Graylog
    discovery.seed_hosts:
  • gl-vn01-es.
  • gl-vn02-es.
  • gl-vn03-es.
    http.port: 9200
    network.host: 0.0.0.0
    network.publish_host: gl-vn01-es.
    node.name: gl-vn01-es.
    node.roles:
  • data
  • master
    transport.port: 9300

#################################### Paths ####################################

Path to directory containing configuration (this file and logging.yml):

path.data: /mnt/elasticsearch

path.logs: /var/log/elasticsearch

action.auto_create_index: true

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: "certificate"
xpack.security.transport.ssl.key: "/etc/elasticsearch/es.key"
xpack.security.transport.ssl.certificate: "/etc/elasticsearch/es.crt"

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: "/etc/elasticsearch/es.key"

the error in the logs is:

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorExcep
tion: validity check failed
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri Oct 21 11:55:10 CEST 2022

Welcome to our community! :smiley:

Did you restart Elasticsearch after you replaced the certificate? If not, you need to.