SSL证书过期问题处理
原因
签名是统一使用2019年CA证书生成的签名,签名有效期为3年。所以最近遇到多个客户反馈证书过期,集群节点无法重启成功的问题。
表现
1.集群报错,日志如下,通过日志可以看到,证书已经在2022年1月28日 1点47分过期
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Mon Nov 28 01:47:25 CST 2022
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) ~[?:?]
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) ~[?:?]
at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190) ~[?:?]
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144) ~[?:?]
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ~[?:?]
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:223) ~[?:?]
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) ~[?:?]
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) ~[?:?]
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) ~[?:1.8.0_162]
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357) ~[?:?]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) ~[?:?]
at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:?]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601) ~[?:?]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_162]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[?:?]
at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1502) ~[netty-handler-4.1.35.Final.jar:4.1.35.Final]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1516) ~[netty-handler-4.1.35.Final.jar:4.1.35.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1400) ~[netty-handler-4.1.35.Final.jar:4.1.35.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1227) ~[netty-handler-4.1.35.Final.jar:4.1.35.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1274) ~[netty-handler-4.1.35.Final.jar:4.1.35.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.35.Final.jar:4.1.35.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.35.Final.jar:4.1.35.Final]
... 16 more
2.在kinaba执行 GET /_ssl/certificates 可以看到证书具体内容
修改证书步骤
1.进入ES根目录
cd /app/elasticserach/xxxx/2xxxx/elasticsearch/
2.备份旧的证书:
mv ./config/elastic-certificates.p12 ./config/elastic-certificates-old.p12
3.生成新证书:
./bin/elasticsearch-certutil cert --ca config/elastic-stack-ca.p12
在生成证书的时候,一共需要输入三次密码。我们对证书不设密码,在输入密码的时候,直接回车就可以
4.替换证书:
cp elastic-certificates.p12 config/elastic-certificates.p12
5.ES 机器每隔5秒会自动检测证书变化,发现变化后,自动加载。不需要重启集群
日志会有相应的reload 证书内容打印
6.对集群的所有ES节点重复1-5步骤
7.在kinaba执行 GET /_ssl/certificates 查看证书是否更新