Kibana shows old/expired Cluster's certificates even though I have updated them

Elastic Stack Elasticsearch
1

Hi all,

I have updated our cluster's certificates that are about to expire. I followed the steps suggested by the official docs and completed the task with success.....at least that's what I thought.

I generated all new certificates signed by the same CA that I used 3 years ago when I signed the ones that are now expiring . (1 for http and 1 for transport - I know that I can use the same one but wanted to have different ones). After uploading the new certs to all nodes (to the location specified in elasticsearch.yml) and then restarted the cluster....all works fine and it seems to be using the new certs.

However, when I query GET _ssl/certificates from kibana, it shows the new certificates along with the ones that don't exist anymore. What else do I have to do in order to remove them completely from the cluster? I checked all the nodes but couldn't find them at all.

image
image808×785 55.3 KB

Thanks,

2

Welcome to our community! :smiley:

Can you confirm what page(s) you used from the docs?
Did you restart the nodes?

3

Hi, Thanks for the welcome :slight_smile:

I basically followed 2 pages:

And yes, I did a full-restart of the whole cluster as a rolling restart didn't work.

BTW cluster uses elasticsearch v7.6.

Regards,

4

Please note that version is EOL and no longer supported, you should be looking to upgrade as a matter of urgency.

Did you restart your nodes?

5

Yes we know we have to upgrade soon.
and yes, I did restart all nodes.

Any idea why the old certificates still show up?
In our prod cluster, all data nodes and client node are using successfully the new certificates for both: transport and HTTP, so I didn't really understand why there are still records of the old ones.

Is this a bug or something?

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.