Generation new ssl keys for a new node

hello , i have a cluster of 3 nodes and i want to add a new node to the cluster, for that i need to regenerate a new certificate for this new node;
i generate the first certs using this command:

/usr/share/elasticsearch/bin/elasticsearch-certutil cert --keep-ca-key ca --pem --in /etc/elasticsearch/instance.yml --out /etc/elasticsearch/certss.zip

and i try to regenerate the new certs for es4 node using this command:

/usr/share/elasticsearch/bin/elasticsearch-certutil cert --pem --ca-cert /etc/elasticsearch/ca/ca.crt --ca-key /etc/elasticsearch/ca/ca.key --in /etc/elasticsearch/instance.new.node.yml --out /etc/elasticsearch/es4.new.zip

but when starting the new node i got this warn:
[es4] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress.

The first command has some odditiy in that it has a ca parameter after --keep-ca-key. It is not necessary but does not seem to cause any issue. The problem is most likely related to the configurations around TLS, e.g. either the CA is not configured consistently or the ca file used to generate the cert is not the one used for the old nodes.

It would be helpful if you could share the followings for further diagnosis:

  1. Relevant sections in the Elasticsearch.yml file of the old nodes and new node.
  2. Complete log messages around the exception.

hello , thx for your reply this help me a lot to resolve the issue. the problem is that i was referring to an old ca.crt/ca.key.

one more question if you don't mind, if i have the ca.crt file and lost the ca.key can i regenerate the certs for the new node ?
thanks,

No you need the key to generate any new certs. You can however reuse certs of existing nodes for the new node if the verification_mode is configured to be certificate.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.