Issue - Update security certificates with a different CA

Derick_Jansen · September 13, 2023, 6:59am

Hi all

I followed the instructions at :-Update security certificates with a different CA | Elasticsearch Guide [7.17] | Elastic

I first tried restarting one node and get the below error

[2023-09-13T18:49:49,292][WARN ][o.e.c.s.DiagnosticTrustManager] failed to establish trust with server at []; the server provided a certificate with subject name [CN=instance] and fingerprint [a172d9229e7c3c1fae3bac25cc0b6a7d0cede1c2]; the certificate does not have any subject alternative names; the certificate is issued by [CN=Elastic Certificate Tool Autogenerated CA]; the certificate is signed by (subject [CN=Elastic Certificate Tool Autogenerated CA] fingerprint [ce84943b4c84bda30754c26675081b7bc8e6dccc]) which is self-issued; the [CN=Elastic Certificate Tool Autogenerated CA] certificate is not trusted in this ssl context ([xpack.security.transport.ssl]); this ssl context does trust a certificate with subject [CN=Elastic Certificate Tool Autogenerated CA] but the trusted certificate has fingerprint [421a33b762eb7964776b45740f7fc022ec77d64d]

Any suggestions would be greatly appreciated.

TimV · September 13, 2023, 1:21pm

It looks like you have a mix of old and new certificates still in use.

Specifically you have 2 different certificates the have a subject of CN=Elastic Certificate Tool Autogenerated CA. It is likely that one of them is the old CA and the other is the new CA.

Derick_Jansen · September 13, 2023, 10:10pm

Hi Tim!

Thanks for your reply, I truly appreciate it.

From the documentation this is expected. The output should contain both the existing CA certificate and your new certificate.

Would it help to generate the new CA with a different CN?

On every node in your cluster, import the new ca.crt certificate into your existing CA truststore. This step ensures that your cluster trusts the new CA certificate. This example uses the Java keytool utility to import the certificate into the elastic-stack-ca.p12 CA truststore.

keytool -importcert -trustcacerts -noprompt -keystore elastic-stack-ca.p12 \ -storepass -alias new-ca -file ca.crt

Check that the new CA certificate was added to your truststore.

keytool -keystore config/elastic-stack-ca.p12 -list

When prompted, enter the password for the CA truststore.The output should contain both the existing CA certificate and your new certificate. If you previously used the elasticsearch-certutil tool to generate your keystore, the alias of the old CA defaults to ca and the type of entry is PrivateKeyEntry.

Derick_Jansen · September 14, 2023, 12:56pm

I ended up doing a full restart on the newly generated p12 files and stack came up happy.

Thanks for the help!

system · October 12, 2023, 12:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.