New Node Cert Issue

Hi,

I'm currently trying to add a new node to an existing cluster but appear to have issues with the certificates. Error log is stating the following.

    [2018-04-10T12:08:54,945][WARN ][o.e.x.s.t.n.SecurityNetty4Transport] [es-node1] write and flush on the network layer failed (channel: [id: 0x1e1078a8, L:0.0.0.0/0.0.0.0:45310 ! R:/10.1.1.1:9300])
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

[2018-04-10T12:08:54,952][WARN ][o.e.x.s.t.n.SecurityNetty4Transport] [es-node1] client did not trust this server's certificate, closing connection [id: 0xe317532b, L:0.0.0.0/0.0.0.0:40538 ! R:/10.1.1.1:9300]

The original CA that was used to create the certificates I believe is no longer available. The set of certs on this host were generated using this method.

/usr/share/elasticsearch/bin/x-pack/certgen --days 1095 --cert /etc/elasticsearch/x-pack/ca/ca.crt --key /etc/elasticsearch/x-pack/ca/ca.key --in /etc/elasticsearch/x-pack/ca/es-node1.yml --out es-node1.zip --pass

The ca.key/crt files were taking from one of the existing hosts in the cluster.

I'm now wondering if we need to set a new CA on one of the nodes and regenerate certificates for all of the nodes and deploy those? Currently it appears that the other nodes in the cluster don't trust the certificate that I had generated for this new node.

Is there an easier method here? If its the only way then is this document the best to follow - https://www.elastic.co/blog/tls-elastic-stack-elasticsearch-kibana-logstash-filebeat

Cheers!

Hi,

I would recommend if you don't have the original CA, this should immediately be deemed as unsafe/a precursor to a security breach, for all certificates pertaining to that now old CA.

All certs should be re/generated using a new CA.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.