How to replace Security Certificate sign by Elastic CA

elasticforme · April 20, 2022, 4:53pm

I had created certificate with following command in past. and it is going to expire now.

bin/elasticsearch-certutil cert -out /etc/elasticsearch/config/elastic-certificates.p12 -pass ""

I would like to replace that before my cluster dies. how do I do it?

create new certificate using same above command and replace the file? and then restart cluster ?

This is output of GET /_ssl/certificate


[
  {
    "path" : "/etc/elasticsearch/config/elastic-certificates.p12",
    "format" : "PKCS12",
    "alias" : "instance",
    "subject_dn" : "CN=instance",
    "serial_number" : "8bb338b1a75d5f98db3d645734932461b8f3ad7a",
    "has_private_key" : true,
    "expiry" : "2022-05-30T15:08:10.000Z"
  },
  {
    "path" : "/etc/elasticsearch/config/elastic-certificates.p12",
    "format" : "PKCS12",
    "alias" : "instance",
    "subject_dn" : "CN=Elastic Certificate Tool Autogenerated CA",
    "serial_number" : "6ca369a24988260f8409c996d710dd9c142f2360",
    "has_private_key" : false,
    "expiry" : "2022-05-30T15:08:07.000Z"
  },
  {
    "path" : "/etc/elasticsearch/config/elastic-certificates.p12",
    "format" : "PKCS12",
    "alias" : "ca",
    "subject_dn" : "CN=Elastic Certificate Tool Autogenerated CA",
    "serial_number" : "6ca369a24988260f8409c996d710dd9c142f2360",
    "has_private_key" : false,
    "expiry" : "2022-05-30T15:08:07.000Z"
  }
]

TimV · April 21, 2022, 2:14am

elasticforme · April 21, 2022, 1:47pm

This is different one. I am talking about selfsign certificate that I created when it was 7.1.1
and command I used is this

bin/Elasticsearch-certutil cert -out /etc/Elasticsearch/config/elastic-certificates.p12 -pass ""

I do I generate new one. as same command fails

/usr/share/Elasticsearch/bin/Elasticsearch-certutil cert -out /tmp/elastic-certificates.p12 -pass "" --days 5000

with error
ERROR: Must specify either --ca or --ca-cert/--ca-key or --self-signed

when I use --self-signed it does creates new certificate but then it does not work when I replace that with old one.

my certificate is self sign. I have no new CA or not using old CA.

elasticforme · April 21, 2022, 3:58pm

Let me add more information to it.

Basically three years ago I generated this certificated and as I said in previous post just did it using Elasticsearch-certutil command

here is more detail about that certificate

# openssl pkcs12 -in /etc/elasticsearch/config/elastic-certificates.p12 -nodes -nokeys | openssl x509 -text -noout -in -
Enter Import Password:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8b:b3:38:b1:a7:5d:5f:98:db:3d:64:57:34:93:24:61:b8:f3:ad:7a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Elastic Certificate Tool Autogenerated CA
        Validity
            Not Before: May 31 15:08:10 2019 GMT
            Not After : May 30 15:08:10 2022 GMT
        Subject: CN = instance
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:9d:d5:59:d7:eb:1a:fe:2e:b3:d4:85:70:d3:ba:
                    04:45:83:c6:a5:36:b9:41:39:b6:2a:f2:f3:24:78:
                    b7:8c:13:1d:d6:a5:0d:fc:30:35:2d:f9:48:69:27:
                    f9:ed:39:8d:46:bc:39:cd:e4:4d:9d:f8:fb:51:b2:
                    09:ef:b5:1d:47:54:28:d6:f1:92:dd:ff:98:28:a4:
                    61:4e:5a:c8:d0:8a:d1:1d:81:fc:03:95:60:2c:b5:
                    7d:c7:4b:8c:97:45:8f:9d:12:fd:6c:3a:3b:74:21:
                    d5:91:f2:42:7f:bd:a8:a2:6d:64:71:7f:68:aa:ad:
                    6b:a0:5c:8a:84:98:f6:2b:76:18:23:f9:d0:e1:58:
                    81:46:f3:14:50:99:e1:30:41:5d:74:20:d4:86:3d:
                    eb:66:15:62:dd:6d:55:82:2b:e8:f0:e8:f5:6a:87:
                    f3:ea:be:e5:cd:2e:85:9e:07:72:54:1c:9c:6d:c8:
                    a7:bc:fe:25:7d:70:bd:4f:42:8e:3f:20:7b:ef:47:
                    b4:31:3b:d9:43:06:76:d9:75:5e:4b:8a:cb:98:5a:
                    ec:0b:49:62:b3:ff:b7:91:66:ed:1e:12:d1:43:bb:
                    52:5e:33:6f:b3:38:c2:3f:7f:73:b7:52:5e:26:a9:
                    f2:7c:4b:fd:10:fc:e0:cb:cc:35:22:4b:b2:09:64:
                    21:a9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                6D:92:AC:EF:72:E8:35:D2:CC:CC:4C:CA:91:27:CA:7F:49:3B:10:40
            X509v3 Authority Key Identifier:
                keyid:58:34:BB:7B:01:45:A0:C7:3A:29:52:CB:81:51:C6:13:D3:82:F1:54

            X509v3 Basic Constraints:
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
         54:c2:05:4b:90:86:dc:e4:35:df:82:84:9d:2c:27:22:7d:4f:
         1c:0c:90:4f:94:9a:f7:12:13:ec:7f:39:5e:e1:b7:25:19:4d:
         b6:62:d0:16:92:1f:a0:70:b9:ff:d5:e9:24:79:e0:e8:40:42:
         fe:c3:52:1d:4f:a4:7f:3d:6f:50:44:c9:9d:4e:8f:e3:da:29:
         e9:07:4d:d9:36:62:b0:d0:3c:54:fe:e0:e9:b4:f1:fa:1c:25:
         a5:f9:45:d6:11:c1:59:73:c1:bc:02:e7:8d:d3:6f:f1:0a:ef:
         b9:b2:d1:34:be:bc:ff:c5:12:84:eb:ff:1e:4f:bc:4f:8b:5a:
         fb:44:47:84:19:48:bd:3f:78:80:fe:ab:c6:f3:73:11:c1:66:
         c5:13:bc:d2:e4:1d:a4:71:ef:93:5c:a9:3b:c4:ac:bd:b7:e8:
         66:ad:f8:c8:25:c6:ed:bd:9f:a5:94:20:1f:0b:28:b1:bf:9f:
         c8:5c:c3:8f:b8:e1:5e:58:49:82:5c:a5:0d:94:51:b3:3c:79:
         4b:88:5c:b9:f8:27:cb:44:9e:f3:ea:ad:d0:17:17:6a:c3:7c:
         c5:6b:05:85:d4:62:3e:91:e2:c9:11:81:6d:df:4e:b9:e9:d4:
         8c:35:8e:b7:b5:cd:7c:16:4d:71:d1:67:9e:53:d4:ca:5f:94:
         b0:f3:c1:28

As you see it is going to expire on may31st and I am trying to increase the validity of this to few more year.

This is Elasticsearch.yml file

xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/config/elastic-certificates.p12

I have copy this certificate to all of my three nodes. they are identical.

When I run this command mention on documentaion

./bin/elasticsearch-certutil cert --ca elastic-certificates.p12

it ask for password and output file name and then it fails

Please enter the desired output file [elastic-certificates.p12]:
Exception in thread "main" java.lang.IllegalArgumentException: ca certificate is not a CA!
        at org.elasticsearch.xpack.security.cli.CertGenUtils.generateSignedCertificate(CertGenUtils.java:208)
        at org.elasticsearch.xpack.security.cli.CertGenUtils.generateSignedCertificate(CertGenUtils.java:176)
        at org.elasticsearch.xpack.security.cli.CertGenUtils.generateSignedCertificate(CertGenUtils.java:109)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.generateCertificateAndKey(CertificateTool.java:867)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.generateAndWriteSignedCertificates(CertificateTool.java:842)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:719)
        at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:81)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:112)
        at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:95)
        at org.elasticsearch.xpack.security.cli.CertificateTool.execute(CertificateTool.java:163)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:112)
        at org.elasticsearch.cli.Command.main(Command.java:77)
        at org.elasticsearch.xpack.security.cli.CertificateTool.main(CertificateTool.java:149)

Here is detail of that keystore

# keytool -keystore /etc/elasticsearch/config/elastic-certificates.p12 -list
Enter keystore password:

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

instance, May 31, 2019, PrivateKeyEntry,

elasticforme · April 22, 2022, 6:30pm

This one is very complicated as I don't see much success on getting any insight here or on internet. Ever one just points to Elasticsearch document. which is for me complicated as I am not guy who understands security stuff clearly.

Spend few hours to test this out and here is the procedure if anyone ever had a this problem.
Two command and copy file to appropriate location

It is simple three step process. First to create authorities ca keystore .p12 file
then use that to create certificate .p12 file

first step

as root user.

# /usr/share/elasticsearch/bin/elasticsearch-certutil ca --days 1000
....
....
...
Please enter the desired output file [elastic-stack-ca.p12]:
Enter password for elastic-stack-ca.p12 :   (hit enter if you don't need password here)

this will create elastic-stack-ca.p12 in /usr/share/elasticsearch/  directory, which is your ES_HOME

second step

Now use following command to use that ca file and create new certificate

#  /usr/share/elasticsearch/bin/elasticsearch-certutil cert  --ca elastic-stack-ca.p12 --days 1000
......
.....
....
Enter password for CA (elastic-stack-ca.p12) :
Please enter the desired output file [elastic-certificates.p12]: elastic-certificates.p12
Enter password for elastic-certificates.p12 :

Certificates written to /usr/share/elasticsearch/elastic-certificates.p12

This file should be properly secured as it contains the private key for
your instance.
This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.

For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.

third step

This has to be done with all cluster node down or you can do it in rolling fashion
put this last file /elastic-certificates.p12 at proper location. whereever your old file was present
and apply this setting to elasticsearch.yml and start elasticsearch daemon

# my old file was elastic-certificates_certi.p12
# my new file is elastic-certificates.p12

#xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/config/elastic-certificates_certi.p12
#xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/config/elastic-certificates_certi.p12
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/config/elastic-certificates.p12

I confirm this works. I have tested this on small container setup first. then apply same logic to my cluster and all is good working.

system · May 20, 2022, 6:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.