How to renew SSL

During the init_sg.sh the task failed, as the certificate expired.

Searhguard version: 6.8.2
Elasticsearch version: 6.8.2

bin/init_sg.sh -> Sgadmin SSL configuration.
config/elasticsearch.yml -> Node SSL configuration

Error:

19:34:14 TASK [elk : Initialize Search Guard] *******************************************
19:34:19 fatal: [elk-01.xxxxx.com]: FAILED! => {"changed": true, "cmd": ["docker", "exec", "elasticsearch", "bin/init_sg.sh"], "delta": "0:00:04.022223", "end": "2020-04-17 16:04:31.234272", "msg": "non-zero return code", "rc": 255, "start": "2020-04-17 16:04:27.212049", "stderr": "", "stderr_lines": [], "stdout": "Search Guard Admin v6\nWill connect to localhost:9300 ... done\nUnable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{NPNB-M7_SpCflUWBbnhFdw}{localhost}{127.0.0.1:9300}]\n

14:04:31.148 [elasticsearch[_client_][transport_worker][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem PKIX path validation failed: java.security.cert.CertPathValidatorException: 
validity check failed\njavax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1302) ~[?:?]\n\t... 29 more\nCaused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Apr 16 21:25:47 UTC 

elasticsearch.yml

searchguard.enterprise_modules_enabled: false
searchguard.ssl.http.enabled: false
searchguard.ssl.transport.pemcert_filepath: 'sg/elk2.pem'
searchguard.ssl.transport.pemkey_filepath: 'sg/elk2.key'
searchguard.ssl.transport.pemkey_password: 'xxxxxx'
searchguard.ssl.transport.pemtrustedcas_filepath: sg/CA-cert.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.authcz.admin_dn:

my init-sg file

#!/bin/sh
plugins/search-guard-6/tools/sgadmin.sh \
	-cd config/sg/ \
	-cacert config/sg/CA-cert.pem \
	-cert config/sg/sgadmin2.pem \
        -key config/sg/sgadmin2.key.pem \
	-keypass xxxxxxx\
	-nhnv \
	-icl \
	-arc

Can anyone provide help on how to renew the SSL cert?

I’m new to searchgurad. It would be great if someone provides the detailed steps for the renewal.

The steps are

  1. Generate new certificates. You need at least:
  • Root CA
  • One node certificate (although it’s advisable to have separate certificates for each node)
  • One admin certificate
  1. Stop all nodes
  2. Place the root and node certs in the config directory of ES
  3. Change elasticsearch.yml to point to the new certs
  4. Start all nodes

See some examples for demo certificates https://docs.search-guard.com/latest/tls-certificates-installer

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.