ES Security: What happens if the ssl key and cert of a node is changed and restarted?

Hi,

What will happen if the ssl key and cert of a node is changed and restarted only that node while keeping other nodes in the cluster running.
Can other nodes be able to connect to this restarted node?
Can the modified node join the cluster?
Are there any validation in place on ES to check for change in certificate and reject connections from the modified node?

Thanks.

You don't even necessarily need to restart the node. Elasticsearch will periodically poll the filesystem for changes and will reload the files that are referenced in the configuration. So, you could overwrite the existing key and certificate simultaneously (copy over the new key and certfiicate keeping the same file name)

If you are talking about the key and certificate used for the http layer, then this will not affect the communication between nodes. It will only affect the communication between clients ( Kibana, Beats, Logstash, your browser etc. and Elasticsearch.

If you are talking about the key and certificate used for the transport layer, then assuming that the new certificate is signed by the same CA that had signed the old one (and subsequently is a CA the rest of the nodes trust ) then the node wouldn't have any issue connecting to the rest of the nodes and to join the cluster.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.