How to renew SSL

nikson.linux · April 21, 2020, 9:43am

During the init_sg.sh the task failed, as the certificate expired.

Searhguard version: 6.8.2
Elasticsearch version: 6.8.2

bin/init_sg.sh → Sgadmin SSL configuration.
config/elasticsearch.yml → Node SSL configuration

Error:

19:34:14 TASK [elk : Initialize Search Guard] *******************************************
19:34:19 fatal: [elk-01.xxxxx.com]: FAILED! => {"changed": true, "cmd": ["docker", "exec", "elasticsearch", "bin/init_sg.sh"], "delta": "0:00:04.022223", "end": "2020-04-17 16:04:31.234272", "msg": "non-zero return code", "rc": 255, "start": "2020-04-17 16:04:27.212049", "stderr": "", "stderr_lines": [], "stdout": "Search Guard Admin v6\nWill connect to localhost:9300 ... done\nUnable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{NPNB-M7_SpCflUWBbnhFdw}{localhost}{127.0.0.1:9300}]\n

14:04:31.148 [elasticsearch[_client_][transport_worker][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem PKIX path validation failed: java.security.cert.CertPathValidatorException: 
validity check failed\njavax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1302) ~[?:?]\n\t... 29 more\nCaused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Apr 16 21:25:47 UTC

elasticsearch.yml

searchguard.enterprise_modules_enabled: false
searchguard.ssl.http.enabled: false
searchguard.ssl.transport.pemcert_filepath: 'sg/elk2.pem'
searchguard.ssl.transport.pemkey_filepath: 'sg/elk2.key'
searchguard.ssl.transport.pemkey_password: 'xxxxxx'
searchguard.ssl.transport.pemtrustedcas_filepath: sg/CA-cert.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.authcz.admin_dn:

my init-sg file

#!/bin/sh
plugins/search-guard-6/tools/sgadmin.sh \
	-cd config/sg/ \
	-cacert config/sg/CA-cert.pem \
	-cert config/sg/sgadmin2.pem \
        -key config/sg/sgadmin2.key.pem \
	-keypass xxxxxxx\
	-nhnv \
	-icl \
	-arc

Can anyone provide help on how to renew the SSL cert?

I’m new to searchgurad. It would be great if someone provides the detailed steps for the renewal.

srgbnd · April 22, 2020, 9:09am

The steps are

Generate new certificates. You need at least:

Root CA
One node certificate (although it’s advisable to have separate certificates for each node)
One admin certificate

Stop all nodes
Place the root and node certs in the config directory of ES
Change elasticsearch.yml to point to the new certs
Start all nodes

See some examples for demo certificates Search Guard Installer | Security for Elasticsearch | Search Guard

system · May 13, 2020, 9:09am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to find valid certification path to requested target Search Guard	3	2068	August 18, 2019
Certificate issue when deploying last release ELK + Search Guard Search Guard	4	2058	January 17, 2019
Renewing Expired Certs with Rolling Restart Search Guard	2	479	July 20, 2020
ERR: You try to connect with a ssl node certificate instead of an admin client certificate Search Guard	7	487	April 4, 2018
ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem General SSLEngine problem Search Guard	5	664	May 20, 2022

How to renew SSL

Related Topics