Hi I just tested the hot reload of certs and CA on 7.9.1-45.0.0
The procedure works as described here TLS management: Replace root CAs on a running Elasticsearc cluster
but it seems the new server certificate isn’t being used.
openssl s_client -connect elasticnode01:9200 </dev/null | openssl x509 -in - -noout -text before and after the procedure reveals the same server certificate.
I don’t see anything in the server’s log file either.
Any help on how to troubleshoot this is appreciated
A more detailed sequence of the commands used would be helpful.
Keep in mind that the article describes changing transport certificates. You however call openssl for port 9200 which should be the REST endpoint which might use another certificate.
argh you’re right I’m an idiot
Turns out I’m still struggling.
The documentation TLS hot-reload | Security for Elasticsearch | Search Guard states that I need to hit the
/_searchguard/api/ssl/transport/reloadcerts endpoint twice when I need to reload node certs with a new CA: once after adding the new CA to the bundle, and once after replacing the node cert.
The problem I’m facing is when doing the first step :
☠ HTTP_ELIAS POST https://foo:9200/_searchguard/api/ssl/http/reloadcerts
HTTP/1.1 500 Internal Server Error
content-type: application/json; charset=UTF-8
"error": "ElasticsearchSecurityException[Error while initializing http SSL layer from PEM: java.lang.Exception: New certificates should not expire before the current ones.]; nested: Exception[New certificates should not expire before the current ones.];"
The error message is not wrong: I didn’t change the certificate yet, only the CA. But it also means the new CA is not reloaded.
@cstaley any idea on what I might be doing wrong?
You might have a point here. We need some more time to look into it; I’ll update you when we have news.
We have now assessed and fixed the problem. A release containing the fix for this should come out during next week.
If you want to try it before or are curious about the details, see here:
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.