How to renew SSL

During the the task failed, as the certificate expired.

Searhguard version: 6.8.2
Elasticsearch version: 6.8.2

bin/ → Sgadmin SSL configuration.
config/elasticsearch.yml → Node SSL configuration


19:34:14 TASK [elk : Initialize Search Guard] *******************************************
19:34:19 fatal: []: FAILED! => {"changed": true, "cmd": ["docker", "exec", "elasticsearch", "bin/"], "delta": "0:00:04.022223", "end": "2020-04-17 16:04:31.234272", "msg": "non-zero return code", "rc": 255, "start": "2020-04-17 16:04:27.212049", "stderr": "", "stderr_lines": [], "stdout": "Search Guard Admin v6\nWill connect to localhost:9300 ... done\nUnable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{NPNB-M7_SpCflUWBbnhFdw}{localhost}{}]\n

14:04:31.148 [elasticsearch[_client_][transport_worker][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem PKIX path validation failed: 
validity check failed\ PKIX path validation failed: validity check failed$T13CertificateConsumer.checkServerCerts( ~[?:?]\n\t... 29 more\nCaused by: NotAfter: Thu Apr 16 21:25:47 UTC 


searchguard.enterprise_modules_enabled: false
searchguard.ssl.http.enabled: false
searchguard.ssl.transport.pemcert_filepath: 'sg/elk2.pem'
searchguard.ssl.transport.pemkey_filepath: 'sg/elk2.key'
searchguard.ssl.transport.pemkey_password: 'xxxxxx'
searchguard.ssl.transport.pemtrustedcas_filepath: sg/CA-cert.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false

my init-sg file

plugins/search-guard-6/tools/ \
	-cd config/sg/ \
	-cacert config/sg/CA-cert.pem \
	-cert config/sg/sgadmin2.pem \
        -key config/sg/sgadmin2.key.pem \
	-keypass xxxxxxx\
	-nhnv \
	-icl \

Can anyone provide help on how to renew the SSL cert?

I’m new to searchgurad. It would be great if someone provides the detailed steps for the renewal.

The steps are

  1. Generate new certificates. You need at least:
  • Root CA
  • One node certificate (although it’s advisable to have separate certificates for each node)
  • One admin certificate
  1. Stop all nodes
  2. Place the root and node certs in the config directory of ES
  3. Change elasticsearch.yml to point to the new certs
  4. Start all nodes

See some examples for demo certificates Search Guard Installer | Security for Elasticsearch | Search Guard

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.