I have an ES Cluster(ES version 7.4.2) that has been running for 3 years.
when I run the following query.
GET _ssl/certificates
I'm getting the output.
"expiry" : "2022-11-20T07:27:29.000Z"
in /usr/share/elasticsearch
For the new 'temescls01-ca.p12' certificate
I run './bin/elasticsearch-certutil cert --ca /etc/elasticsearch/certs/temescls01-ca.p12' and when I enter the 'CA CERT password' it generates a new temescl01-ca.p12 certificate.
For the new 'temescls01-certificates.p12' certificate
I run './bin/elasticsearch-certutil cert /etc/elasticsearch/certs/temescls01-certificates.p12' and enter the 'keystore password'.
I'm using the old certificates' passwords for both new certificates.
I was able to create all 2 certificates. But when I stop the elasticsearch service and replace the old certificates with new certificates by following the document here, the node cannot join the cluster. When I replace the old certificate, the node joins the cluster without any problems.
An example from elasticsearch.yml
elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/temescls01-certificates.p12
xpack.security.transport.ssl.keystore.password: XXXXXXXXX
xpack.security.transport.ssl.truestore.path: certs/temescls01-certificates.p12
xpack.security.transport.ssl.truestore.password: XXXXXXXXX
Is there something i did wrong?
It’s not possible to extend the expiry date of a certificate. But you can create a new one. If you are using PKCS #12 format of SSL/TLS (p12) certificate you can use this article to create a new certificate.
https://medium.com/p/99820ff87615
Related
I am using cert-manager ACME workflow to manage my certificates in K8s. Seems like cert-manager does not give me control on when the certificate gets re-issued (usually happens when expirations comes near).
Does cert manager revoke the previous certificate once it has issued the new one? And can you control this behaviour?
I tried looking for it in documentation, couldn't find the answer. Next up is an experiment.
Cert manager will renew certificates generally when there's 30 or less days left on the validity. It does not "revoke" older certificates, it renews them (where applicable)
The exception to this is if you change the hostnames on the certificate. Certmanager will issue a NEW certificate containing the updated names, but it will not revoke the old certificate. The old certificate will simply just not be renewed and will expire naturally.
In ethernet connected system I use harbor registry for docker images in login session it returns x509: certificate relies on legacy Common Name field, use SANs instead error.
How I resolve this certification problem?
You should regenerate your Harbor certificate, the previous maybe
generated by Common Name, use the SAN field to sign the certificate, https://goharbor.io/docs/2.5.0/install-config/configure-https/
We have a reporting application which needs JKS file to be created from public certificate and private key associated with the certificate.
For our K8S deployment through Jenkins, we create this application and during this application deployment - pods, svc, ing, certificate also gets created and once our deployment is successful we call another script to use the certificate and private key, create a JKS and copy it to the pod in some location where application can pick it up. This works well but how do we automate this JKS creation and copy it to the pod with every let's encrypt certificate renewal since the certificate is renewed for every 90 days.
Posting an answer from comments.
After some comments, main question was narrowed down to:
"How to renew certificate manually using CertManager?"
Answer itself:
There's a CLI tool for CertManager which is called cmctl.
And it supports manual renewal of certificates by issuing following command:
cmctl renew $CERT_NAME
My application implements SSLPining with leaf certificate. And it's about to expire.
I researched and got the answer:
Some time before the certificate expires, release a new version of your app with a replacement cert in the pin list, as well as the original cert
How can i add both replacement cert and original cert to my project?
I just need to add a new certificate with any name and Will Alamofire go through all the certificate files I declare and if any match will it allow the connection?
Thanks
Yes, that will work. Alamofire's PinnedCertificatesTrustEvaluator gathers all certificates from the main bundle by default and checks to see whether the certificate received is within that set. So as long as both certificates are within that set, either of them should work.
When generating certificate via directadmin using letsencrypt for mail.domain.com, directadmin told me that it generated a certificate called:
letsencrypt.key
But in order to make the mail.domain.com contains the certificate, I have to edit the dovcot config like below:
ssl_cert = </etc/letsencrypt/live/YOURSITE/fullchain.pem
ssl_key = </etc/letsencrypt/live/YOURSITE/privkey.pem
But as shown above dovcot only take 2 parameters for certs and I only have letsencrypt.key
How do I point this certificate in dovcot so, that it will use let's encrypt certs ?
UPDATE:
I read that the built-in feature letsencrypt in DA actually combined the cert into one. I search Google and redirected to a site that we can manually install the DA letsencrypt so that it will generate 3 files for certs where I can use to link in dovcot.
So in order to do this do I have to disable the built in feature of DA Let's encrypt?
The URL: https://www.interserver.net/tips/kb/letsencrypt-support-directadmin-control-panel/
Is this the best way? What about the renewal process? Will directadmin handle the cert's renewal process or we need to create cronjob for that ? I'm lost.
My aim is just to enable certificate for the mail.domain.com (using let's encrypt) so when I log in using 3rd party email client, it would not complain about invalid certs.
I never heard about mail_sni someone pointed out that I should use this to make it work. Following this documentation, everything is working:
http://forum.directadmin.com/showthread.php?t=56297