How to generate ssl certificate for new node in existing cluster

I have 7 node cluster and now i want to add another node for previous nodes i have

  • master_node1.crt and master_node1.key
  • master_node2.crt and master_node2.key
  • master_node3.crt and master_node3.key
  • data_node1.crt and data_node1.key
  • data_node2.crt and data_node2.key
  • data_node3.crt and data_node3.key
  • data_node4.crt and master_node4.key
  • ca.crt and ca.key
 bin/elasticsearch-certutil cert --name ew2 --days 7300 --keysize 2048 --pem --ip xx.xx.xx.xx --out /etc/elasticsearch/ew2.zip

for new node i have the folllowing configuration..the configuration is same as the previous nodes


xpack.security.enabled: true
#xpack.security.audit.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.verification_mode: full
xpack.security.transport.ssl.key: certs/ew2/ew2.key
xpack.security.transport.ssl.certificate: certs/ew2/ew2.crt
xpack.security.transport.ssl.certificate_authorities: certs/ca/ca.crt

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key:  certs/ew2/ew2.key
xpack.security.http.ssl.certificate: certs/ew2/ew2.crt
xpack.security.http.ssl.certificate_authorities: certs/ca/ca.crt

but i got the warning

[2021-02-27T17:25:24,375][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [em2] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=/master_node_1:9300, remoteAddress=/data_node_4:47046}

How can i generate ssl certificate for new node in existing cluster if i have ca.crt and ca.key file ?

I solved it :grinning:

bin/elasticsearch-certgen --cert <path_of_ca.crt file>  --key <path_of_ca.key file> - --in new_instances.yaml --keysize 2048 --out itest.zip

That will work, but certgen is deprecated and is likely to be removed in ES 8.0

What you really want is:

bin/elasticsearch-certutil cert --ca-cert ca.crt --ca-key ca.key \
    --name ew2 --days 7300 --keysize 2048 --pem --ip xx.xx.xx.xx --out /etc/elasticsearch/ew2.zi
3 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.