Change the certificates

Hello Team,

I have an ELK stack running with hot warm architecture. Everything is fine until I was asked to add new nodes to the stack...
How am I supposed to add new nodes and how can I create new certificates for the new host?

  1. Can I use the same ca cert to generate new cert for the new host?
  2. Can I change all the certificates for the host If i wanted ?
  3. Will changing all the certificates give me an issue to login?
    I faced something like this in my past
failed to authenticate user 'elastic' against https ///_security/_authenticate pretty

Yes, provided you have a copy of the private key for that CA cert.
If you didn't save a copy of that key, then there is no way to issue new certificates using that CA.

If you do have the key, then you can use elasticsearch-certutil to issue new certificates.

  1. Can I change all the certificates for the host If i wanted ?

You can.
Doing so without downtime is tricky.

The steps are:

If using PEM certificates:

  1. Generate a new CA
  2. Generate new certificates
  3. Update elasticsearch.yml for each node to trust the new CA alongside the old CA
  4. Perform a rolling restart
  5. Update elasticsearch.yml on each node to set (& .key) to use the new certificate for that node.
  6. Perform a rolling restart
  7. Update elasticsearch.yml for each node to stop trusting the old CA (but keep trusting the new CA)
  8. Perform a rolling restart
  1. Will changing all the certificates give me an issue to login?

It's impossible to answer that because we haven't provided any information about the cause of the error.

It is entirely possible to break your cluster when updating certificates, and there are ways to break a cluster that will prevent users from authenticating. So, it's possible that you will get an issue like that if you make a mistake.

Hello Tim,

Thanks for the response. Now would you be able to give me small demo on how to generate new certs from CA.CRT.....
Let say I have and its respected crt now I wanna add another server

Thanks in advance.

@TimV @Luca_Belluccini
There is no article present in forum about the certificate manager except for this.

Which gives an idea on how to create the certificates but what if the certs are expired and I want to extend to next 4 years and also how to add new hosts to the same stack.

It will be great if you can give me these details.


@Badger @Christian_Dahlqvist
Any help from you also appreciated.

Hello Tim
Also, upon trying many methods, found a solution which is here.

./bin/elasticsearch-certutil cert -silent -pem -ca-cert ca.crt -ca-key ca.key -in new_instances.yml -out

This generated each node's key and crt but there was different issue which is

{"type": "server", "timestamp": "2021-04-23T15:04:06,398Z", "level": "WARN", "component": "o.e.c.c.ClusterFormationFailureHelper", "": "Cluster", "": "es-master-4", "message": "master not discovered yet, this node has not previously joined a bootstrapped (v7+) cluster, and this node must discover master-eligible nodes [,,,,] to bootstrap a cluster: have discovered [{es-master-4}{lgQUHqC9RzO0kAQAvJL-1A}{yyPSRfpZRiyUUkzW1DEERA}{}{}{cdhilmrstw}{ml.machine_memory=12429029376, xpack.installed=true, transform.node=true, ml.max_open_jobs=20}]; discovery will continue using [,,] from hosts providers and [{es-master-4}{lgQUHqC9RzO0kAQAvJL-1A}{yyPSRfpZRiyUUkzW1DEERA}{}{}{cdhilmrstw}{ml.machine_memory=12429029376, xpack.installed=true, transform.node=true, ml.max_open_jobs=20}] from last-known cluster state; node term 0, last-accepted version 0 in term 0" }
{"type": "server", "timestamp": "2021-04-23T15:04:06,485Z", "level": "WARN", "component": "o.e.x.c.s.t.n.SecurityNetty4Transport", "": "Cluster", "": "es-master-4", "message": "client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=/, remoteAddress=/}" }
{"type": "server", "timestamp": "2021-04-23T15:04:06,617Z", "level": "WARN", "component": "o.e.c.s.DiagnosticTrustManager", "": "Cluster", "": "es-master-4", "message": "failed to establish trust with server at [<unknown host>]; the server provided a certificate with subject name [CN=elk1] and fingerprint [226959ca2d25696cc3bd558ed049bcfb629b843c]; the certificate has subject alternative names [DNS:localhost,IP:,IP:,DNS:elk1]; the certificate is issued by [CN=Elastic Certificate Tool Autogenerated CA] but the server did not provide a copy of the issuing certificate in the certificate chain; this ssl context ([]) trusts [1] certificate with subject name [CN=Elastic Certificate Tool Autogenerated CA] and fingerprint [e5ac2583a3e148403f9296598909c68b0e675eb7] but the signatures do not match",
"stacktrace": [" PKIX path validation failed: Path does not chain with any of the trust anchors",
"at ~[?:?]",
"at ~[?:?]",
"at ~[?:?]",
"at ~[?:?]",
"at ~[?:?]",
"at org.elasticsearch.common.ssl.DiagnosticTrustManager.checkServerTrusted( [elasticsearch-ssl-config-7.10.0.jar:7.10.0]",
"at$T13CertificateConsumer.checkServerCerts( [?:?]",
"at$T13CertificateConsumer.onConsumeCertificate( [?:?]",
"at$T13CertificateConsumer.consume( [?:?]",
"at [?:?]",
"at [?:?]",
"at$DelegatedTask$ [?:?]",
"at$DelegatedTask$ [?:?]",
"at [?:?]",
"at$ [?:?]",
"at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks( [netty-handler-4.1.49.Final.jar:4.1.49.Final]",
"at io.netty.handler.ssl.SslHandler.runDelegatedTasks( [netty-handler-4.1.49.Final.jar:4.1.49.Final]",
"at io.netty.handler.ssl.SslHandler.unwrap( [netty-handler-4.1.49.Final.jar:4.1.49.Final]",
"at io.netty.handler.ssl.SslHandler.decodeJdkCompatible( [netty-handler-4.1.49.Final.jar:4.1.49.Final]",
"at io.netty.handler.ssl.SslHandler.decode( [netty-handler-4.1.49.Final.jar:4.1.49.Final]",
"at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection( [netty-codec-4.1.49.Final.jar:4.1.49.Final]",
"at io.netty.handler.codec.ByteToMessageDecoder.callDecode( [netty-codec-4.1.49.Final.jar:4.1.49.Final]",
"at io.netty.handler.codec.ByteToMessageDecoder.channelRead( [netty-codec-4.1.49.Final.jar:4.1.49.Final]",
"at [netty-transport-4.1.49.Final.jar:4.1.49.Final]",
"at [netty-transport-4.1.49.Final.jar:4.1.49.Final]",
"at [netty-transport-4.1.49.Final.jar:4.1.49.Final]",
"at$HeadContext.channelRead( [netty-transport-4.1.49.Final.jar:4.1.49.Final]",
"at [netty-transport-4.1.49.Final.jar:4.1.49.Final]",
"at [netty-transport-4.1.49.Final.jar:4.1.49.Final]",
"at [netty-transport-4.1.49.Final.jar:4.1.49.Final]",
"at$ [netty-transport-4.1.49.Final.jar:4.1.49.Final]",
"at [netty-transport-4.1.49.Final.jar:4.1.49.Final]",
"at [netty-transport-4.1.49.Final.jar:4.1.49.Final]",
"at [netty-transport-4.1.49.Final.jar:4.1.49.Final]",
"at [netty-transport-4.1.49.Final.jar:4.1.49.Final]",
"at io.netty.util.concurrent.SingleThreadEventExecutor$ [netty-common-4.1.49.Final.jar:4.1.49.Final]",
"at io.netty.util.internal.ThreadExecutorMap$ [netty-common-4.1.49.Final.jar:4.1.49.Final]",
"at [?:?]",
"Caused by: Path does not chain with any of the trust anchors",
"at ~[?:?]",
"at ~[?:?]",
"at ~[?:?]",
"at ~[?:?]",
"... 37 more"] }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.