ECK Kibana tls certificate not updated

Our kibana TLS certificate for HTTP layer it's about to expire. This was setup through the guide below

We already have the new certificate and the idea was just to create a new k8s secret, and redeploy kibana (we use helm for that). However, the new certificate is not being picked up.

Any suggestion would be appreciated.

This might be a stupid question, but did you delete the "old" Kubernetes secret with the previous certificate as well?

Also if everything else fails, deleting the current Kibana pod will recreate it, so at least that should force the refresh.

Yes old secret was deleted and a new one (different name) with the new certificate was created, but it's not picked up. Also deleting the kibana pod doesn't trigger a refresh.

I'm wondering if you're running into Public HTTP Secret may hold expired CA · Issue #5621 · elastic/cloud-on-k8s · GitHub? I've seen that in another issue come up today as well (where Kibana was affected and not just Elasticsearch).

Thanks for pointing that out, but I don't think that's the case as along our new certificate there is also a new CA certificate which is added to the new secret.

So you deleted the secret with the old certificate and Kibana still picks it up even when recreating the pod? That's surprising.
And there is no old copy or anything in the secrets?

Yes, old secret is no longer there, but when the pod is recreated it still picks the old secret. As far as I understood this is the expected behavior as in this case the pod keeps the original configuration. However, changing the helm chart with the new secret doesn't trigger a redeployment, while other changes in the helm chart do trigger kibana redeployment.

Issue found due to using an encrypted Key. Error msg was missed. Once updated with the unencrypted key it worked right away

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.