Http client did not trust this server's certificate, closing connection Netty4HttpChannel

zaeemmasood · June 23, 2025, 7:07pm

Hi All,

Suddenly I was unable to execute any GET command via DevTools as I started getting 502 Bad gateway error as follows:

GET /_ssl/certificates {
  "statusCode": 502,
  "error": "Bad Gateway",
  "message": "certificate has expired"
}

I noticed in http.p12 that the cert expired on June 14 as follows:

-bash-4.4$ /opt/jdk/latest/bin/keytool -list -v -keystore http.p12 
Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: http
Creation date: Jun 15, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=sd-a524-83c7
Issuer: CN=Elasticsearch security auto-configuration HTTP CA
Serial number: cbd2efbf79fd6ae161271f735fddaf95c1596c56
Valid from: Thu Jun 15 23:42:37 EDT 2023 until: Sat Jun 14 23:42:37 EDT 2025

Elasticsearch logs were also showing this as follows:

[2025-06-23T14:54:59,930][WARN ][o.e.h.n.Netty4HttpServerTransport] [524-83c7] http client did not trust this server's certificate, closing connection Netty4HttpChannel{localAddress=/146.12.12.47:43077, remoteAddress=/146.128.12.49:33198}

Please guide on how to renew this certificate. This cert was created automatically while creating ES cluster elasticsearch-8.7.0

Thanks

leandrojmp · June 23, 2025, 7:35pm

You will need to manually create a new CA and certificates and use them, you can follow this documentation here.

zaeemmasood · June 24, 2025, 5:48pm

Thanks

zaeemmasood · June 27, 2025, 1:53pm

Thanks. I created a new CA and certs and was able to bring up the cluster but I still see the following error coming repeatedly at a fast rate:

[2025-06-27T09:36:33,019][WARN ][o.e.h.n.Netty4HttpServerTransport] [sd-ec6d-8f64] http client did not trust this server's certificate, closing connection Netty4HttpChannel{localAddress=/14.18.12.46:42044, remoteAddress=/14.18.14.206:58912}

Also noticed that one of the node in the cluster goes down and on starting with the following error after some time:

[2025-06-26T16:20:15,030][WARN ][o.e.t.ThreadPool         ] [sd-ec6d-8f64] execution of [ReschedulingRunnable{runnable=org.elasticsearch.indices.IndexingMemoryController$ShardsIndicesStatusChecker@68b51d7c, interval=5s}] took [549500ms] which is above the warn threshold of [5000ms]

Please guide

zaeemmasood · June 27, 2025, 2:01pm

On running GET _ssl/certificates I get the following:

[
  {
    "path": "certs/http.p12",
    "format": "PKCS12",
    "alias": "ca",
    "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    "serial_number": "35caf541f837921ebfc35426cc57ef1c7d3192e0",
    "has_private_key": false,
    "expiry": "2028-06-23T14:36:10.000Z",
    "issuer": "CN=Elastic Certificate Tool Autogenerated CA"
  },
  {
    "path": "certs/http.p12",
    "format": "PKCS12",
    "alias": "http",
    "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    "serial_number": "35caf541f837921ebfc35426cc57ef1c7d3192e0",
    "has_private_key": false,
    "expiry": "2028-06-23T14:36:10.000Z",
    "issuer": "CN=Elastic Certificate Tool Autogenerated CA"
  },
  {
    "path": "certs/http.p12",
    "format": "PKCS12",
    "alias": "http",
    "subject_dn": "CN=ad-7a-1f",
    "serial_number": "9936781b1bb9ebcfd743ba237d170934587a8ca9",
    "has_private_key": true,
    "expiry": "2030-06-24T14:42:14.000Z",
    "issuer": "CN=Elastic Certificate Tool Autogenerated CA"
  },
  {
    "path": "certs/transport.p12",
    "format": "PKCS12",
    "alias": "transport",
    "subject_dn": "CN=Elasticsearch security auto-configuration HTTP CA",
    "serial_number": "1c582b75d2bd85d58c7cf58bd5be1217da61b9d5",
    "has_private_key": false,
    "expiry": "2122-05-23T03:17:12.000Z",
    "issuer": "CN=Elasticsearch security auto-configuration HTTP CA"
  },
  {
    "path": "certs/transport.p12",
    "format": "PKCS12",
    "alias": "transport",
    "subject_dn": "CN=ad-7a-15f",
    "serial_number": "aba77410a181cf1d1d5f459f0f6c55d50bc45b6a",
    "has_private_key": true,
    "expiry": "2122-05-23T03:17:13.000Z",
    "issuer": "CN=Elasticsearch security auto-configuration HTTP CA"
  },
  {
    "path": "certs/transport.p12",
    "format": "PKCS12",
    "alias": "transport_ca",
    "subject_dn": "CN=Elasticsearch security auto-configuration HTTP CA",
    "serial_number": "1c582b75d2bd85d58c7cf58bd5be1217da61b9d5",
    "has_private_key": false,
    "expiry": "2122-05-23T03:17:12.000Z",
    "issuer": "CN=Elasticsearch security auto-configuration HTTP CA"
  }
]

Topic		Replies	Views
ElasticSearch renew certificate errors Elasticsearch elastic-stack-security , docker	2	193	May 17, 2024
Change certificate for up and running cluster Elasticsearch elastic-stack-security	2	443	January 3, 2022
Renew auto generated http certificates http.p12 Elastic Search	2	106	May 26, 2025
Renew auto generated http certificates Elasticsearch elastic-stack-security	6	1521	June 5, 2025
Renew http.p12 and http_ca.p12 Elasticsearch	1	36	August 13, 2025

Http client did not trust this server's certificate, closing connection Netty4HttpChannel

Related topics