Changing Certificate with New CA on Elasticsearch Cluster

yvangarc · October 18, 2023, 2:05pm

Hello,

We have an elasticsearch cluster with version 8.5.1, in a baremetal kubernetes cluster, and we have the need to change the CA and certificates of the cluster nodes.

I've already created the new CA and certificate for the nodes and created a secret in kubernetes with them, which is how the old certificate is. And in theory, update the new certificate is simple, changing the secret of the old certificate to the secret of the new one in the volumemount of the elastic statefulset.

The problem is that this causes the rollingupdate node by node, and the first node that is restarted, having a different certificate than the rest of the cluster, never joins, so I have had to reverse.

Note that we have a cluster of 3 masters and 5 data nodes, with a statefulset for both types of nodes. With this configuration, I would appreciate it if somebody could help me with the procedure to be able to change the certificate satisfactorily.

Regards

Alexis_Roberson · October 18, 2023, 2:58pm

Hi @yvangarc
Perhaps the nodes are not trusting the new certificate chain. Maybe this thread would be a bit helpful for your issue.

yvangarc · October 27, 2023, 11:19am

Finally i was able to do it in several steps:

Firstly, only add the newca to the secret that stores the certificates and setting:

- name: xpack.security.transport.ssl.certificate_authorities
  value: '["oldca", "newca"]'

Once the cluster trust the new CA, i can change the transport certificate of the all nodes keeping both CAs in the cluster trusted certificate_authorities

And finally, you can remove the old CA from the cluster trusted certificate_authorities.

Regards

system · November 24, 2023, 11:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.