Issues Getting Node to Rejoin Cluster after Renewing Certificates

Elastic Stack Elastic Agent
1

I’ve been working through the challenges of renewing my http and transport certificates on one of my nodes. Both were renewed using the same CA that was used prior.

Although the elasticsearch service is now starting successfully, I’m still having issues.

My node isn’t rejoining the cluster.

Based on these instructions, I’m wondering if I need to generate new certificates for all of my nodes and reboot all of them? I was hoping that by using the same CA that the new certificates would be trusted.

Update certificates with the same CA | Elasticsearch Guide [8.19] | Elastic

2

Only the certificate of this node expired?

Please share the logs you are receiving, it will have the reason why it cannot join the cluster.

3

Actually, certificates expired on Node01 (192.168.XX.20) and Node02 (192.168.XX.21). Node03 and Node04 were added later, so those certs are still valid.

I haven’t made any changes to certs on any other node.

][o.e.d.PeerFinder ][node01] address [192.168.XX.21:9300], node [unknown] discovery result: [192.168.XX.21:9300] connect_exception: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: unable to find valid certification path to requested target; for summary, see logs from org.elasticsearch.cluster.coordination.ClusterFormationFailureHelper; for troubleshooting guidance, see https://www.elastic.co/docs/troubleshoot/elasticsearch/discovery-troubleshooting?version=9.1(external, opens in a new tab or window)
[2025-11-07T13:50:46,759][WARN ][o.e.t.TcpTransport ][node01] exception caught on transport layer [Netty4TcpChannel{localAddress=/192.168.XX.20:52876, remoteAddress=/192.168.XX.21:9300,
profile=default}], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target