We are currently evaluating x-pack security and there is an open question where i cannot find any answer:
For transport TLS we need to change the root certificate from time to time but we have to avoid a full cluster restart cause we cannot tolerate any downtime. Is this possible?
Hi,
A rolling restart can be performed as long as the certificate chain remains unchanged. The best practice here is to sign individual TLS certificates by a common CA so certificate and host verification will pass when the node with the new cert comes back online. A full cluster restart would be required if changing any CA cert in the certificate chain.
Jason
what about adding the new root ca additively to the trusted CA in rolling restart manner, then update the nodes with new certificates also in rolling restart manner and optionally remove the old ca again in rolling restart manner. Would this not work in the case of a root certificate change?
You could do this in two rolling restarts.
xpack.ssl.certificate_authorities array on all hosts.I think we are on the same page. The important point is nodes need to be restarted for certificate changes to take effect. Additionally, trust must be maintained between the nodes to ensure error free inter-node communication.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.