CA and certificate reload

faxmodem · September 15, 2020, 2:19pm

Hi I just tested the hot reload of certs and CA on 7.9.1-45.0.0
The procedure works as described here https://search-guard.com/elasticsearch-change-tls-root-CA/
but it seems the new server certificate isn’t being used.
Indeed, running openssl s_client -connect elasticnode01:9200 </dev/null | openssl x509 -in - -noout -text before and after the procedure reveals the same server certificate.
I don’t see anything in the server’s log file either.

Any help on how to troubleshoot this is appreciated

cstaley · September 16, 2020, 8:34am

A more detailed sequence of the commands used would be helpful.

Keep in mind that the article describes changing transport certificates. You however call openssl for port 9200 which should be the REST endpoint which might use another certificate.

faxmodem · September 16, 2020, 8:34am

argh you’re right I’m an idiot

faxmodem · September 16, 2020, 9:53am

Turns out I’m still struggling.
The documentation https://docs.search-guard.com/latest/hot-reload-tls states that I need to hit the /_searchguard/api/ssl/transport/reloadcerts endpoint twice when I need to reload node certs with a new CA: once after adding the new CA to the bundle, and once after replacing the node cert.

The problem I’m facing is when doing the first step :

☠ HTTP_ELIAS POST https://foo:9200/_searchguard/api/ssl/http/reloadcerts
HTTP/1.1 500 Internal Server Error
content-length: 255
content-type: application/json; charset=UTF-8

{
    "error": "ElasticsearchSecurityException[Error while initializing http SSL layer from PEM: java.lang.Exception: New certificates should not expire before the current ones.]; nested: Exception[New certificates should not expire before the current ones.];"
}

The error message is not wrong: I didn’t change the certificate yet, only the CA. But it also means the new CA is not reloaded.

faxmodem · September 17, 2020, 6:59am

@cstaley any idea on what I might be doing wrong?

cstaley · September 21, 2020, 7:23am

You might have a point here. We need some more time to look into it; I’ll update you when we have news.

nils · September 29, 2020, 12:25pm

@faxmodem

We have now assessed and fixed the problem. A release containing the fix for this should come out during next week.

If you want to try it before or are curious about the details, see here:

https://maven.search-guard.com/search-guard-suite-snapshot/com/floragunn/search-guard-suite-plugin/b-SGD-783-SNAPSHOT/search-guard-suite-plugin-b-SGD-783-20200929.120516-1.zip