I have updated our cluster's certificates that are about to expire. I followed the steps suggested by the official docs and completed the task with success.....at least that's what I thought.
I generated all new certificates signed by the same CA that I used 3 years ago when I signed the ones that are now expiring . (1 for http and 1 for transport - I know that I can use the same one but wanted to have different ones). After uploading the new certs to all nodes (to the location specified in elasticsearch.yml) and then restarted the cluster....all works fine and it seems to be using the new certs.
However, when I query GET _ssl/certificates from kibana, it shows the new certificates along with the ones that don't exist anymore. What else do I have to do in order to remove them completely from the cluster? I checked all the nodes but couldn't find them at all.
Yes we know we have to upgrade soon.
and yes, I did restart all nodes.
Any idea why the old certificates still show up?
In our prod cluster, all data nodes and client node are using successfully the new certificates for both: transport and HTTP, so I didn't really understand why there are still records of the old ones.