I have a ssl cert that our webops team created for me a year ago and now it has expired. I've added copied the new ssl cert to each server and pointed this line to in the elasticsearch.yml file
xpack.security.http.ssl.keystore.path: mynewcert.p12
Then I restarted each node in the cluster but when I run the command
How do I remove the expired cert?
{O=Ancestry.com , L=Lehi, ST=Utah, C=US",
TimV
August 5, 2024, 3:19am
3
Are they the only entries returned from the certificates API?
I'm trying to understand whether you simply have an expired certificate still present in your system (which is not really an issue) or if your node is still using the expired certificate (which is a big issue).
It still seems to be using the expired cert because the application talking to Elasticsearch is saying that the cert has expired.
TimV
August 5, 2024, 11:35pm
5
You're not giving me much to go on.
You didn't answer my question..
and you haven't told us exactly what you did to add the new certificate.
It seems likely that there was a missing/incorrect step in the process, but I have no way of working out what that was.
Tim,
Sorry about that. When you try to connect to the endpoint or even in a web browser the cert says it has expired.
When I hit the GET /_ssl/certificates api I see an expired cert date but the name is the new cert name and the new cert with the correct date.
If this was just the API I wouldn't be so worried about it.
New cert with the correct expiry date { "path" : "essvc-regiment-neptune-es-stage.ancestrydata.int-30072024.p12", "format" : "PKCS12", "alias" : "tq-webserverv3-5years-c684d8c1-1588-4bab-a5eb-a2652436290b", "subject_dn" : "CN=Ancestry Root CA, DC=ancestry, DC=int", "serial_number" : "5ed5012cf7f7e39840e416578bfe9703", "has_private_key" : false, "expiry" : "2036-08-17T02:31:17.000Z" },
Expired Cert but with the name of the new cert.essvc-regiment-neptune-es-stage.ancestrydata.int , OU=WebOps, O=Ancestry.com , L=Lehi, ST=Utah, C=US", "serial_number" : "5c0000d4842bc09a2c7a5348eb00010000d484", "has_private_key" : true, "expiry" : "2024-07-27T15:59:34.000Z" },
What I did to add the new cert.
Copied new cert to each server.
Modified elasticsearch.yml to point to new cert.
Added the password for the new cert to the using this command sudo sh ./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
Restarted each elasticsearch node.
TimV
August 8, 2024, 1:28am
8
Chuck_Reynolds:
New cert with the correct expiry date
{
"path": "essvc-regiment-neptune-es-stage.ancestrydata.int-30072024.p12",
"format": "PKCS12",
"alias": "tq-webserverv3-5years-c684d8c1-1588-4bab-a5eb-a2652436290b",
"subject_dn": "CN=Ancestry Root CA, DC=ancestry, DC=int",
"serial_number": "5ed5012cf7f7e39840e416578bfe9703",
"has_private_key": false,
"expiry": "2036-08-17T02:31:17.000Z"
}
That's not your certificate - that's the CA.
"subject_dn": "CN=Ancestry Root CA, DC=ancestry, DC=int""has_private_key": false
It sounds like maybe you added the CA to your truststore, but didn't import a new server certificate.
