Regenerate the SSL Certificate that was auto-generated on setup of ElasticSearch

Elastic Search
1

Hello!

We have been using Elasticsearch with Zammad on an Ubuntu server for several months, and we recently moved the server to a new IP address. Because Elasticsearch was set up with the former IP address, the auto-generated SSL Certificate, "/etc/elasticsearch/certs/http_ca.crt", is not working with the new IP address. Specifically, it gives an error that the IP address does not match the one in the certificate.

We were wondering if there was a command to use that would regenerate this SSL Certificate based on the current IP settings? I tried using the

bin/elasticsearch-certutil

command but when I do that it says that there is "no such file or directory". I am unable to use that command, and based on my reading of the webpage:

I do not know if that would solve our issue as we are not trying to create a new Certificate Authority or a whole new set of certificates and keys, just the one that was generated on setup.

Please let me know if there is any more information that you would need to get a better idea of our situation, and thank you in advance for your help.

2

Hi @frdh-samuelw

Seems a lot like this post

What version are you on?

Where are you running that from? /
How did you install?

But yes you need to regenerate the Certs and then make sure if you created

3

Hello @stephenb !

Thank you for your response!

We are using elasticsearch version 8.17.1

Thank you for linking that post. The situation is very similar, however we have not used the cert utility at all yet, we have only used the auto-generated SSL certificate. I tried using the

bin/elasticsearch-certutil

from the home directory. Sorry, I haven't used commands with 'bin' at the beginning before, should I run that from the /etc/elasticsearch directory?

We installed by following the instructions here:

Using the apt repository. I did not set up additional nodes as we only have the one server running Elastic Search.

For the certutil command page, would the certificate I want to regenerate be an "HTTP" certificate? There doesn't seem to be anything there about the default http_ca.crt or how to get it to regenerate, but if creating a new one is the way to go then I would definitely try that if I can get the command to work.

Thank you again for your help!

4

If you installed as a Deb package you need to go to

cd /usr/share/elasticsearch

The Home directory as detailed at the bottom of the page you linked and run commands from there

5

This happens because the original certificate includes the old IP or hostname. Here's how to regenerate it correctly:

  1. Go to the Elasticsearch installation path

cd /usr/share/elasticsearch

  1. Run certutil in interactive mode

sudo bin/elasticsearch-certutil http

  1. Follow the prompts:
  • Generate a new certificate
  • Enter the new server IP or hostname
  • Save the .zip file
  1. Extract the new certs

unzip elasticsearch-ssl-http.zip -d certs/


5. **Replace the old certs**

sudo mv /etc/elasticsearch/certs /etc/elasticsearch/certs.bak
sudo mv certs/ /etc/elasticsearch/certs
  1. Update elasticsearch.yml if needed

yaml

xpack.security.http.ssl:
  enabled: true
  key: /etc/elasticsearch/certs/elasticsearch.key
  certificate: /etc/elasticsearch/certs/elasticsearch.crt
  certificate_authorities: [ "/etc/elasticsearch/certs/ca.crt" ]
  1. Restart Elasticsearch

sudo systemctl restart elasticsearch


---

Hope this helps anyone facing the same issue!
If you're using Docker or Elastic Cloud, the steps are slightly different — happy to help if needed.

—
*Contributed by [Rafael Silva](https://www.linkedin.com/in/rafael-silva-observabilidade/), Observability Specialist & Elastic Enthusiast*
[GitHub: @rafasilva1984](https://github.com/rafasilva1984