Have been looking forward to the introduction of SSL cert hot reloading, described here -
Currently testing v1.6.0 and find that the SSL cert hot reloading feature is not working in my case.
Just checking - has this been tested with SSL certs in Java keystores only, or does it also work for the reloading of SSL certs stored in PEM files?
Running Opendistro v.1.6.0 with correct plugin versions -
GET _cat/plugins escdr-test-001 opendistro-job-scheduler 188.8.131.52 escdr-test-001 opendistro-knn 184.108.40.206 escdr-test-001 opendistro_alerting 220.127.116.11 escdr-test-001 opendistro_index_management 18.104.22.168 escdr-test-001 opendistro_performance_analyzer 22.214.171.124 escdr-test-001 opendistro_security 126.96.36.199 escdr-test-001 opendistro_sql 188.8.131.52
SSL cert for transport and https is currently loaded -
# openssl s_client -connect 127.0.0.1:9200 -showc erts | openssl x509 -noout -text depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 Certificate: Data: Version: 3 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Validity Not Before: Apr 29 06:16:43 2020 GMT Not After : Jul 28 06:16:43 2020 GMT
I replace the SSL cert on disk with an updated version - same issuer, same hostname, only major difference is the expiry date.
When I check the SSL certs API endpoint with a user with ‘admin_all’ privileges, there is no response -
When I attempt to reload the certs, there is no response
The SSL cert is not reloaded.
Before I look into this much further - just checking if this feature works with PEM files as well as keystores?
PUT 127.0.0.1:9200/_opendistro/_security/api/ssl/transport/reloadcerts PUT 127.0.0.1:9200/_opendistro/_security/api/ssl/http/reloadcerts
SSL hot reloads is enabled in elasticsearch.yml -