Self-signed certificate expiration date and the ES cluster transport layer

Current ELK cluster version: v7.3

I'm currently using a self-signed cert generated using the elasticsearch-certutil tool. By default, the CA and Certificate expire in 3 years. I plan to use the self-signed certs in Prod.

What can I expect to happen when the CA and/or cert expires? Will my cluster fail? Is it necessary to generate and deploy new certs?

By the way, as a test, I generated a new cert using the original CA cert. I set the expire date for 1 day. I deployed it my transport layer for my existing cluster. After 3 days, the cluster still runs fine. Note: The CA file doesn't expire until 2022.

Thanks In Advance.

Additional note: I'm posting this question as a follow up to my previous question at Problem attempting to migrate from self-signed SSL cert to a CA issued SSL cert

Note to readers: This answer is specifically about certificates on the transport layer (*). It is not necessarily applicable to other certificates in Elasticsearch.

Your cluster will not be able to establish new connections between nodes. Effectively you cluster will fail, but at a future time. It could happen due to a network issue, or because you need to restart a node for some reason. You will need to deploy new certificates.
It is possible (with the right configuration) to deploy new certs without needing to restart.

I suspect you didn't restart any nodes, and your network was stable during that time. If you try restarting a node you should find that it cannot connect to the other nodes in the cluster.

Thanks for the quick reply. Actually, I had restarted 1 node and it rejoined with no problems.

For what it's worth, I just now reconfirmed all 3 nodes were using the same self-signed expired cert on the transport layer. I rebooted all 3 nodes. All nodes rejoined the cluster. Cluster is now green.

Once again, the CA file I used to generate the cert doesn't expire until 2022. Not sure if that makes difference or not.

To be safe, we will make plans to replace the expired transport cert every 3 years.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.