Updating elasticsearch CA but _ssl/certificates return wrong result

petertw6235 · February 26, 2024, 6:35am

Hi,

Elasticsearch version: 7.17.9
I tried to update the TLS certificate because the CA will expire this year.
I found this guide [same CA] (Update certificates with the same CA | Elasticsearch Guide [7.17] | Elastic)
and followed the instruction but did not restart my cluster.

After copying new CA to every nodes in my cluster, I checked the _ssl/certificates result:

There are three certificates but only one update the expire date.

Did I miss something?

Here is my elasticsearch.yml

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

stephenb · February 26, 2024, 6:55am

Hi @petertw6235

It looks to me like you perhaps updated the CA, but you did not regenerate the new actual certificates (.p12s)... just Regenerating and updating the CA does not update the certificates so they still have the original expiration date from when they were created.

Pretty sure you are going to need to regenerate / update the actual certs as well using the new CA following the next steps

Perhaps I am missing something

petertw6235 · February 26, 2024, 7:55am

Hi @stephenb ,

Here is my step:

I found the file "elastic-stack-ca.p12" which created three years ago.
Executing the following command

cd /usr/share/elasticsearch/
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

After input the password , I got a new elastic-certificates.p12
SCP elastic-certificates.p12 to other nodes.

I did not change the password.

I'm not pretty sure what is actual certificate. Do you have further explanation?

stephenb · February 26, 2024, 8:21am

Those are the certificates.

Sorry sometimes people get confused between a CA and a certificate.

Did you do a rolling restart of the nodes?

And you are very careful that the new certs are exactly where they should be with correct file permissions and the yml is all correct? If one works they all should work. Usually it's a copy or something else

petertw6235 · February 26, 2024, 8:39am

Hi @stephenb ,

Thanks for your response.
I checked the documents again, It seems like "elastic-stack-ca.p12" is the CA and "elastic-certificates.p12" is the certificate issued by CA.
In my case the "elastic-stack-ca.p12" was generated three years ago and the expiration date is Oct 2024. I need to regenerate the CA instead of using the old one because the expiration date will not change if i'm not using the new CA.

I will reference this guideline to regenerate the CA.

stephenb · February 26, 2024, 1:08pm

Right, but to be clear, your screenshot shows that 2 of the 3 the certificates are going to expire...

Regenerate them all is the safest of the CA and the certificates, Play some in the proper places and then restart the notes

system · March 25, 2024, 1:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.