My ES cluster is configured with SSL encryption for internode communication, without encryption at the HTTP layer. I just realized today that my SSL certificate has expired. I checked the certificate validity through _ssl/certificates and found that it has been expired for over a year, but the cluster is still running normally. I want to know what impact an expired certificate will have on the cluster. Will it result in future unavailability or the inability to perform encrypted communication?
As Leandro said, SSL handshake will not be established simply because the certificate cannot be verified.
You can temporarily set xpack.security.transport.ssl.verification_mode: none which will not validate the certificate.
Of course, the best solution is renew/reissue the cert.
However, in reality, I have been using this expired certificate all along and have not encountered any issues. I can still restart nodes, add new nodes, and even create a new cluster without any problems. What could be the reason for this? Does the expiration of the certificate not affect internode communication?
However, if I convert this certificate into three files: tls.crt, tls.key, ca.crt, and use the following configuration, I will encounter a certificate expiration error during startup, and the cluster will not run properly:
(Static) Defines how to verify the certificates presented by another party in the TLS connection:
Valid values
full
Validates that the provided certificate: has an issue date that’s within the not_before and not_after dates; chains to a trusted Certificate Authority (CA); has a hostname or IP address that matches the names within the certificate. certificate
Validates the provided certificate and verifies that it’s signed by a trusted authority (CA), but doesn’t check the certificate hostname. none
Performs no certificate validation.
Setting certificate validation to none disables many security benefits of SSL/TLS, which is very dangerous. Only set this value if instructed by Elastic Support as a temporary diagnostic mechanism when attempting to resolve TLS errors.
But why is it that when both are set to xpack.security.transport.ssl.verification_mode: certificate, the first method (using a .p12 file) does not check the expiration time of the certificate, while the second method does? Is there any documentation explaining this?
I am currently using the first method, and the certificate has already expired, but the system is running normally. I am concerned whether there will be any issues in the future.
Sorry I didn't understand the point you made. I know that I can set it to "none" to make es not check the validity of the certificate. But my question is why when setting it to "certificate", why setting the ssl.keystore.path parameter works normally, while setting ssl.certificate prompts the certificate to expire. There seems to be no explanation in the documentation for this issue.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.