SSL cert hot reload (for PEM files) - v 1.6.0

Hey folks,

Have been looking forward to the introduction of SSL cert hot reloading, described here -

Currently testing v1.6.0 and find that the SSL cert hot reloading feature is not working in my case.

Just checking - has this been tested with SSL certs in Java keystores only, or does it also work for the reloading of SSL certs stored in PEM files?

Running Opendistro v.1.6.0 with correct plugin versions -

GET _cat/plugins                                                     
escdr-test-001 opendistro-job-scheduler
escdr-test-001 opendistro-knn        
escdr-test-001 opendistro_alerting   
escdr-test-001 opendistro_index_management
escdr-test-001 opendistro_performance_analyzer
escdr-test-001 opendistro_security   
escdr-test-001 opendistro_sql        

SSL cert for transport and https is currently loaded -

    # openssl s_client -connect -showc
erts | openssl x509 -noout -text

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1                                                           
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
        Version: 3 (0x2)             
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
            Not Before: Apr 29 06:16:43 2020 GMT
            Not After : Jul 28 06:16:43 2020 GMT

I replace the SSL cert on disk with an updated version - same issuer, same hostname, only major difference is the expiry date.

When I check the SSL certs API endpoint with a user with ‘admin_all’ privileges, there is no response -


When I attempt to reload the certs, there is no response

The SSL cert is not reloaded.

Before I look into this much further - just checking if this feature works with PEM files as well as keystores?


SSL hot reloads is enabled in elasticsearch.yml -

opendistro_security.ssl_cert_reload_enabled: true


This was answered here -

SSL cert hot reload for PEM files does indeed work - I was not authenticating the request with the admin cert and key required for the opendistro-security plugin.