SSL cert hot reload (for PEM files) - v 1.6.0

lechuck · April 29, 2020, 9:09am

Hey folks,

Have been looking forward to the introduction of SSL cert hot reloading, described here -

https://github.com/opendistro-for-elasticsearch/opendistro-build/blob/master/release-notes/release-notes-odfe-1.6.0.md
https://github.com/opendistro-for-elasticsearch/security/pull/238

Currently testing v1.6.0 and find that the SSL cert hot reloading feature is not working in my case.

Just checking - has this been tested with SSL certs in Java keystores only, or does it also work for the reloading of SSL certs stored in PEM files?

Running Opendistro v.1.6.0 with correct plugin versions -

GET _cat/plugins                                                     
                                   
escdr-test-001 opendistro-job-scheduler        1.6.0.0
escdr-test-001 opendistro-knn                  1.6.0.0
escdr-test-001 opendistro_alerting             1.6.0.0
escdr-test-001 opendistro_index_management     1.6.0.0
escdr-test-001 opendistro_performance_analyzer 1.6.0.0
escdr-test-001 opendistro_security             1.6.0.0
escdr-test-001 opendistro_sql                  1.6.0.0

SSL cert for transport and https is currently loaded -

    # openssl s_client -connect 127.0.0.1:9200 -showc
erts | openssl x509 -noout -text

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1                                                           
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)             
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Apr 29 06:16:43 2020 GMT
            Not After : Jul 28 06:16:43 2020 GMT

I replace the SSL cert on disk with an updated version - same issuer, same hostname, only major difference is the expiry date.

When I check the SSL certs API endpoint with a user with ‘admin_all’ privileges, there is no response -

GET 127.0.0.1:9200/_opendistro/_security/api/ssl/certs

When I attempt to reload the certs, there is no response

The SSL cert is not reloaded.

Before I look into this much further - just checking if this feature works with PEM files as well as keystores?

PUT 127.0.0.1:9200/_opendistro/_security/api/ssl/transport/reloadcerts 
PUT 127.0.0.1:9200/_opendistro/_security/api/ssl/http/reloadcerts

SSL hot reloads is enabled in elasticsearch.yml -

opendistro_security.ssl_cert_reload_enabled: true

Cheers

lechuck · May 6, 2020, 6:46am

This was answered here - https://github.com/opendistro-for-elasticsearch/security/issues/455

SSL cert hot reload for PEM files does indeed work - I was not authenticating the request with the admin cert and key required for the opendistro-security plugin.

Topic		Replies	Views
Reload of certificate Security	2	1036	September 14, 2022
Certificate reloading? Security	3	1891	September 14, 2022
Can't reload SSL certs via API Security	5	803	August 1, 2023
SSL Woes with OpenDistro on Docker Security	6	1066	May 31, 2021
Opendistro_security.allow_unsafe_democertificates: true" Security	5	4027	May 4, 2019

SSL cert hot reload (for PEM files) - v 1.6.0

Related topics