I followed the instructions at :-Update security certificates with a different CA | Elasticsearch Guide [7.17] | Elastic
I first tried restarting one node and get the below error
[2023-09-13T18:49:49,292][WARN ][o.e.c.s.DiagnosticTrustManager] failed to establish trust with server at ; the server provided a certificate with subject name [CN=instance] and fingerprint [a172d9229e7c3c1fae3bac25cc0b6a7d0cede1c2]; the certificate does not have any subject alternative names; the certificate is issued by [CN=Elastic Certificate Tool Autogenerated CA]; the certificate is signed by (subject [CN=Elastic Certificate Tool Autogenerated CA] fingerprint [ce84943b4c84bda30754c26675081b7bc8e6dccc]) which is self-issued; the [CN=Elastic Certificate Tool Autogenerated CA] certificate is not trusted in this ssl context ([xpack.security.transport.ssl]); this ssl context does trust a certificate with subject [CN=Elastic Certificate Tool Autogenerated CA] but the trusted certificate has fingerprint [421a33b762eb7964776b45740f7fc022ec77d64d]
Any suggestions would be greatly appreciated.
It looks like you have a mix of old and new certificates still in use.
Specifically you have 2 different certificates the have a subject of
CN=Elastic Certificate Tool Autogenerated CA. It is likely that one of them is the old CA and the other is the new CA.
Thanks for your reply, I truly appreciate it.
From the documentation this is expected.
The output should contain both the existing CA certificate and your new certificate.
Would it help to generate the new CA with a different CN?
- On every node in your cluster, import the new
ca.crt certificate into your existing CA truststore. This step ensures that your cluster trusts the new CA certificate. This example uses the Java
keytool utility to import the certificate into the
elastic-stack-ca.p12 CA truststore.
keytool -importcert -trustcacerts -noprompt -keystore elastic-stack-ca.p12 \ -storepass -alias new-ca -file ca.crt
- Check that the new CA certificate was added to your truststore.
keytool -keystore config/elastic-stack-ca.p12 -list
When prompted, enter the password for the CA truststore.The output should contain both the existing CA certificate and your new certificate. If you previously used the
elasticsearch-certutil tool to generate your keystore, the alias of the old CA defaults to
ca and the type of entry is
I ended up doing a full restart on the newly generated p12 files and stack came up happy.
Thanks for the help!