How do I extend the SSL Certificate expiry period?s

RusseL · November 15, 2022, 6:43am

Hi everyone.
I have an ES Cluster(ES version 7.4.2) that has been running for 3 years.
when I run the following query.

GET _ssl/certificates

I'm getting the output.

"expiry" : "2022-11-20T07:27:29.000Z"

My cluster is in active use and shutting it down will be a problem for me. Is there a way to extend the certificate period? Or any suggestions.

warkolm · November 15, 2022, 7:12am

7.4 is EOL and no longer supported, please upgrade

You will need to replace the certificates with updated ones that have longer expirations. You should be able to do that with a rolling restart however.

RusseL · November 16, 2022, 7:28am

Hi @warkolm. Thanks for answer.

in /usr/share/elasticsearch
For the new 'temescls01-ca.p12' certificate
I run './bin/elasticsearch-certutil cert --ca /etc/elasticsearch/certs/temescls01-ca.p12' and when I enter the 'CA CERT password' it generates a new temescl01-ca.p12 certificate.

For the new 'temescls01-certificates.p12' certificate
I run './bin/elasticsearch-certutil cert /etc/elasticsearch/certs/temescls01-certificates.p12' and enter the 'keystore password'.

I'm using the old certificates' passwords for both new certificates.

I was able to create all 2 certificates. But when I stop the elasticsearch service and replace the old certificates with new certificates by following the document here, the node cannot join the cluster. When I replace the old certificate, the node joins the cluster without any problems.

An example from elasticsearch.yml
elasticsearch.yml

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/temescls01-certificates.p12
xpack.security.transport.ssl.keystore.password: XXXXXXXXX
xpack.security.transport.ssl.truestore.path: certs/temescls01-certificates.p12
xpack.security.transport.ssl.truestore.password: XXXXXXXXX

Is there something i did wrong?

warkolm · November 16, 2022, 9:30pm

You will need to share logs please.

RusseL · November 17, 2022, 7:05am

Hi @warkolm.
I solved the problem by following the steps in this article. In addition, I had to restart the service on a single node. I think it's because my ES version is 7.4.2.

system · December 15, 2022, 7:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extend the expiry of the certificates Elasticsearch	6	376	December 8, 2023
Updating elasticsearch CA but _ssl/certificates return wrong result Elasticsearch elastic-stack-security	6	225	March 25, 2024
Certificate has expired Elasticsearch	1	174	April 25, 2024
What impact will the SSL certificate expiration in the file elastic-certificates.p12 have? Elasticsearch	9	188	April 2, 2024
Self-signed certificate expiration date and the ES cluster transport layer Elasticsearch	3	3563	March 31, 2020

How do I extend the SSL Certificate expiry period?s

Related topics