we have an Elasticsearch cluster with the version "7.17.5"
The certificate has expired. I have renewed the certificate but somehow the cluster does not accept the certificate. It still has the old certificate because the error in the logs refers to the date of the old certificate.
the configuration of the cluster is:

bootstrap.memory_lock: true
cluster.initial_master_nodes:

• gl-vn01-es.
• gl-vn02-es
  cluster.name: Graylog
  discovery.seed_hosts:
• gl-vn01-es.
• gl-vn02-es.
• gl-vn03-es.
  http.port: 9200
  network.host: 0.0.0.0
  network.publish_host: gl-vn01-es.
  node.name: gl-vn01-es.
  node.roles:
• data
• master
  transport.port: 9300

#################################### Paths ####################################

Path to directory containing configuration (this file and logging.yml):

path.data: /mnt/elasticsearch

path.logs: /var/log/elasticsearch

action.auto_create_index: true

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: "certificate"
xpack.security.transport.ssl.key: "/etc/elasticsearch/es.key"
xpack.security.transport.ssl.certificate: "/etc/elasticsearch/es.crt"

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: "/etc/elasticsearch/es.key"

the error in the logs is:

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorExcep
tion: validity check failed
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri Oct 21 11:55:10 CEST 2022

Welcome to our community!

Did you restart Elasticsearch after you replaced the certificate? If not, you need to.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.