Hi I just tested the hot reload of certs and CA on 7.9.1-45.0.0
The procedure works as described here TLS management: Replace root CAs on a running Elasticsearc cluster
but it seems the new server certificate isn’t being used.
Indeed, running openssl s_client -connect elasticnode01:9200 </dev/null | openssl x509 -in - -noout -text before and after the procedure reveals the same server certificate.
I don’t see anything in the server’s log file either.
Any help on how to troubleshoot this is appreciated
A more detailed sequence of the commands used would be helpful.
Keep in mind that the article describes changing transport certificates. You however call openssl for port 9200 which should be the REST endpoint which might use another certificate.
Turns out I’m still struggling.
The documentation TLS hot-reload | Security for Elasticsearch | Search Guard states that I need to hit the /_searchguard/api/ssl/transport/reloadcerts endpoint twice when I need to reload node certs with a new CA: once after adding the new CA to the bundle, and once after replacing the node cert.
The problem I’m facing is when doing the first step :
☠ HTTP_ELIAS POST https://foo:9200/_searchguard/api/ssl/http/reloadcerts
HTTP/1.1 500 Internal Server Error
content-length: 255
content-type: application/json; charset=UTF-8
{
"error": "ElasticsearchSecurityException[Error while initializing http SSL layer from PEM: java.lang.Exception: New certificates should not expire before the current ones.]; nested: Exception[New certificates should not expire before the current ones.];"
}
The error message is not wrong: I didn’t change the certificate yet, only the CA. But it also means the new CA is not reloaded.