Our Elasticsearch cluster certificates have expired, and we generated a new certificate authority and elastic certificate without a password. After uploading the new certificate to the different nodes and trying to start Elasticsearch, it fails to start with an error related to it not being able to authenticate the certificate and the password being wrong. We checked all configuration files, and no password was added either.
Did anyone run into a similar issue? Any suggestions?
Were your previous certificates created with a password? When Elasticsearch fails to start after certificate renewal, remove the stale SSL password entries from the keystore and re-add them with an empty value.
No the previous certs where generated without password. This is the error message I see : failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] keystore (as a truststore) [/etc/elasticsear>
A common error is that there is still an old password in the elasticsearch keystore that is being read and that is trying to be used to authenticate the cert.
run the list command and see if there are any cert related settings.
bin/elasticsearch-keystore list
just to make sure.
Otherwise you will need to provide full error and how you created the certs
I like to say in general Elaastic does not do a whole lot of anything special with certs if you create them correct and set the setting correct it will work.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.