Elasticsearch How to Update Security Certificates in Elasticsearch

By Opster Expert Team - Musab Dogan

Updated: Jan 28, 2024

| 5 min read

Quick links

Introduction

This article explains the various ways in which you can update your Elasticsearch security certificates. The method that you select depends on whether you are updating certificates with the same or different certificate authority (CA). It also depends on whether you are using p12 or PEM and key. Each of these different methods is detailed below.

Updating certificates with the same CA

If you have access to the CA used to sign your existing certificates, you only need to change the certificates and keys for each node in your cluster. If you change your existing certificates and keys on each node and use the same filenames, Elasticsearch will reload the files and start using the new certificates and keys.

You don’t need to reboot every node, but doing so will force new transport layer security (TLS) connections and is a recommended practice when updating certificates. Therefore, the following steps involve restarting a node after updating each certificate.

The steps below also provide instructions for generating new node certificates and keys for both the TLS and the HTTP layer. Depending on which of your certificates are expiring, you may only need to replace one or the other layer.

Updating certificates with the same CA (p12)

To use this method, you need to have an admin p12 certificate.

The first step is to create a new certificate using your CA certificate:

./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --ca-pass "" --days 365 --out "new_cert.p12" --pass ""

Then, paste the new certificate in place of the old certificate on all nodes:

cp new_cert.p12 /etc/elasticsearch/config/elastic-certificates.p12

That completes the process. All you need to do now is check the response from Elastic logs:

[][INFO ][o.e.x.c.s.SSLConfigurationReloader] [] reloaded [es01/config/elastic-certificates.p12] 

And updated ssl contexts using this file:

#Example elasticsearch.yml for .p12 file
cluster.name: certificate
node.name: es01
cluster.initial_master_nodes: ["es01", "es02"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12

Updating certificates with the same CA (PEM and key)

To use this method, you need to have an admin certificate and key.

The first step is to create a new .crt certificate and .key private key using the CA certificate and private key:

./bin/elasticsearch-certutil cert --ca-cert ca/ca.crt --ca-key ca/ca.key --pem --name new_cert --out new_cert.zip

Next, unzip and paste the new certificate in place of the old certificate on all nodes:

unzip new_cert.zip
cp new_cert/new_cert.crt /etc/elasticsearch/config/client.crt
cp new_cert/new_cert.key /etc/elasticsearch/config/client.key

Example elasticsearch.yml for .crt and .key file

cluster.name: certificate
node.name: es01
cluster.initial_master_nodes: ["es01", "es02"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: client.key
xpack.security.transport.ssl.certificate: client.crt
xpack.security.transport.ssl.certificate_authorities: ca.crt
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: client.key
xpack.security.http.ssl.certificate: client.crt
xpack.security.http.ssl.certificate_authorities: ca.crt

It is important to note that after updating the certificate(s) you don’t need to restart nodes. Elasticsearch checks the certificates every five seconds.

If you have indexers like Logstash, Filebeat, or any other client application, you should update that certificate for external communication using the xpack.security.http.ssl* settings.

Updating certificates with a different CA

If you don’t have the root (admin) certificate p12 or PEM and the associated private key, you can’t create a client certificate. But you can create a new root CA certificate and then a new client certificate. 

Updating certificates with a different CA (p12)

The first step is to create a p12 certificate (which includes a key and PEM file in it).

The following command will generate elastic-stack-ca.p12, which is the new p12 root CA certificate:

./bin/elasticsearch-certutil ca

Then, this command will generate the new client certificate using the newly generated root CA certificate:

./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --ca-pass "" --days 365 --out "new_cert.p12" --pass ""

When that is complete, the new certificates are ready to use. Simply paste the new certificate in place of the old certificate on all nodes

Then, check elasticsearch.yml and ensure the certificate’s name is the same as the one in the configuration file:

cp new_cert.p12 /etc/elasticsearch/config/elastic-certificates.p12

Remember to store the new root CA certificate safely because you might need it in the future.

Updating certificates with a different CA (PEM and key)

To follow this method, the first step is to create a PEM certificate and key.

The following command will generate ca.crt and ca.key, which are the new root CA certificate and key, respectively:

./bin/elasticsearch-certutil ca -pem
unzip elastic-stack-ca.zip

Next, this command will generate the new client certificate and key:

./bin/elasticsearch-certutil cert --ca-cert ca/ca.crt --ca-key ca/ca.key --pem --name new_cert --out new_cert.zip

When that is completed, the new certificates are ready to use. Paste the new certificate in place of the old certificate on all nodes

Remember to check the elasticsearch.yml and make sure the name of the certificate is the same as the one in the configuration file:

unzip new_cert.zip
cp ca/ca.crt config/ca.crt
cp new_cert/new_cert.crt /etc/elasticsearch/config/client.crt
cp new_cert/new_cert.key /etc/elasticsearch/config/client.key

WARNING: Do not restart any of the nodes before copying the certificates to all nodes. If you do restart a node before copying the certificate, the restarted node will not be able to join the cluster because it has a different certificate.

If you use the wrong CA certificate with the above method, you can face any of the following errors after node restart (emphasis added):

[][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [] client did not trust this server’s certificate, closing connection Netty4TcpChannel{localAddress=/[0:0:0:0:0:0:0:1]:9300, remoteAddress=/[0:0:0:0:0:0:0:1]:, profile=default}

[][WARN ][o.e.t.OutboundHandler    ] [es01] send message failed [channel: Netty4TcpChannel{localAddress=/127.0.0.1:62282, remoteAddress=/127.0.0.1:9300, profile=default}]

javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

If you have experienced the above errors, you need to check that you are using the same certificates on all your nodes.

Notes and good things to know

Here are some key considerations to bear in mind when updating your Elasticsearch security certificates:

  • This article assumes that you don’t want to change passwords in elasticsearch-keystore or set a password for it.
  • If you have a CA certificate that has not expired, you should follow the steps under the heading “Updating certificates with the same CA” above. 
  • If you don’t have a certificate, or if your certificate has expired, then you should follow the steps under the heading “Updating certificates with a different CA” above. 
  • The same certificate can be used for the HTTP and transport layer, or you can create two separate certificates using the same method.
  • Once you create the new certificate, copy and paste it to all nodes. Do not create certificates on each node individually because it will be easier to use the same certificate for all nodes.
  • If you do not change the name of the certificate, you do not need to make any changes in elasticsearch.yml.
  • You do not need to restart Elasticsearch after updating the certificate. But best practice recommends a rolling restart. After updating the certificates on all nodes, restart one of the coordinator nodes to test it. Everything is working properly if the node can connect to the cluster after the restart. If that is the case, you don’t need to restart other nodes.
  • After renewing all the certificates, check if the certificates on all nodes are the same. You can do this check with shasum <certificate> to get the hash of the certificates.
  • If the applications that query and index Elasticsearch (like Filebeat, Logstash, and Kibana) use secure communication, you should also update their certificates.

How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?