ES Nodes with different dates

Search Guard and Elasticsearch version - 6.5.4

JVM version and operating system version - jre 1.8_55

I am having an ES + Search-Guard Multiple Node Setup.

While adding a new Node I am getting the following Exception

Caused by: java.security.cert.CertificateNotYetValidException: NotBefore: Sat Mar 02 06:43:03 IST 2019

at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:270) ~[?:?]

at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) ~[?:?]

at sun.security.provider.certpath.BasicChecker.verifyTimestamp(BasicChecker.java:190) ~[?:?]

at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144) ~[?:?]

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:119) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) ~[?:?]

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) ~[?:1.8.0_51]

``

My Master node is ahead of the data node in time.What should I do about this?

I am generating the root certificate and the node certificates in the master node.

Should I generate the node certificate in the specific node?

You need to make sure that all your nodes are time synced (via ntp https://en.wikipedia.org/wiki/Network_Time_Protocol).
If not then in a distributed system like elasticsearch a lot of thing can go probably wrong.

···

Am 04.03.2019 um 23:20 schrieb Kasinaat Selvi Sukesh <kasinaat007@gmail.com>:

Search Guard and Elasticsearch version - 6.5.4
JVM version and operating system version - jre 1.8_55

I am having an ES + Search-Guard Multiple Node Setup.

While adding a new Node I am getting the following Exception

Caused by: java.security.cert.CertificateNotYetValidException: NotBefore: Sat Mar 02 06:43:03 IST 2019
  at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:270) ~[?:?]
  at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) ~[?:?]
  at sun.security.provider.certpath.BasicChecker.verifyTimestamp(BasicChecker.java:190) ~[?:?]
  at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144) ~[?:?]
  at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:119) ~[?:?]
  at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219) ~[?:?]
  at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) ~[?:?]
  at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) ~[?:?]
  at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) ~[?:1.8.0_51]

My Master node is ahead of the data node in time.What should I do about this?

I am generating the root certificate and the node certificates in the master node.
Should I generate the node certificate in the specific node?

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/13d0e702-1023-4494-a9dc-d02610db8863%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Can you please tell me what are the things that could go wrong?

I was using elasticsearch without search guard for past 4 months. I didn’t encounter any issues.

Can you please point me out some issues

···

On Tuesday, March 5, 2019 at 12:50:03 PM UTC+5:30, Kasinaat Selvi Sukesh wrote:

Search Guard and Elasticsearch version - 6.5.4

JVM version and operating system version - jre 1.8_55

I am having an ES + Search-Guard Multiple Node Setup.

While adding a new Node I am getting the following Exception

Caused by: java.security.cert.CertificateNotYetValidException: NotBefore: Sat Mar 02 06:43:03 IST 2019

at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:270) ~[?:?]

at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) ~[?:?]

at sun.security.provider.certpath.BasicChecker.verifyTimestamp(BasicChecker.java:190) ~[?:?]

at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144) ~[?:?]

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:119) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) ~[?:?]

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) ~[?:1.8.0_51]

``

My Master node is ahead of the data node in time.What should I do about this?

I am generating the root certificate and the node certificates in the master node.

Should I generate the node certificate in the specific node?