July 14, 2022, 3:10pm
Our kibana TLS certificate for HTTP layer it's about to expire. This was setup through the guide below
We already have the new certificate and the idea was just to create a new k8s secret, and redeploy kibana (we use helm for that). However, the new certificate is not being picked up.
Any suggestion would be appreciated.
July 18, 2022, 12:49am
This might be a stupid question, but did you delete the "old" Kubernetes secret with the previous certificate as well?
Also if everything else fails, deleting the current Kibana pod will recreate it, so at least that should force the refresh.
August 1, 2022, 1:17pm
Yes old secret was deleted and a new one (different name) with the new certificate was created, but it's not picked up. Also deleting the kibana pod doesn't trigger a refresh.
August 2, 2022, 12:15am
I'm wondering if you're running into
Public HTTP Secret may hold expired CA · Issue #5621 · elastic/cloud-on-k8s · GitHub? I've seen that in another issue come up today as well (where Kibana was affected and not just Elasticsearch).
August 2, 2022, 10:23am
Thanks for pointing that out, but I don't think that's the case as along our new certificate there is also a new CA certificate which is added to the new secret.
August 2, 2022, 2:02pm
So you deleted the secret with the old certificate and Kibana still picks it up even when recreating the pod? That's surprising.
And there is no old copy or anything in the secrets?
August 2, 2022, 3:21pm
Yes, old secret is no longer there, but when the pod is recreated it still picks the old secret. As far as I understood this is the expected behavior as in this case the pod keeps the original configuration. However, changing the helm chart with the new secret doesn't trigger a redeployment, while other changes in the helm chart do trigger kibana redeployment.
August 16, 2022, 10:59am
Issue found due to using an encrypted Key. Error msg was missed. Once updated with the unencrypted key it worked right away
September 13, 2022, 10:59am
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.