Rolling restart possible when root certificate changed?


(Nanda Koothrappahli) #1

We are currently evaluating x-pack security and there is an open question where i cannot find any answer:

For transport TLS we need to change the root certificate from time to time but we have to avoid a full cluster restart cause we cannot tolerate any downtime. Is this possible?


(Jason Bryan) #2

Hi,

A rolling restart can be performed as long as the certificate chain remains unchanged. The best practice here is to sign individual TLS certificates by a common CA so certificate and host verification will pass when the node with the new cert comes back online. A full cluster restart would be required if changing any CA cert in the certificate chain.

Jason


(Nanda Koothrappahli) #3

what about adding the new root ca additively to the trusted CA in rolling restart manner, then update the nodes with new certificates also in rolling restart manner and optionally remove the old ca again in rolling restart manner. Would this not work in the case of a root certificate change?


(Jason Bryan) #4

You could do this in two rolling restarts.

  • Add a new root CA to the xpack.ssl.certificate_authorities array on all hosts.
  • Perform the first rolling restart.
  • Replace the TLS certificate on each node.
  • Perform the second rolling restart. The new node certificate will be trusted since the CA cert was added for the first rolling restart.
  • Optionally remove the old CA certificate and perform a rolling restart.

I think we are on the same page. The important point is nodes need to be restarted for certificate changes to take effect. Additionally, trust must be maintained between the nodes to ensure error free inter-node communication.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.