Certificate expiration in searchd container

  • 7025172
  • 23-Jun-2021
  • 23-Jun-2021


Advanced Authentication 6.x


Possible issues:
a) There is a flow of searchd and webd errors in syslog:

...ERROR ... - SSL Problem General SSLEngine problem

[ERROR]...fatal alert: certificate_unknown

....CertPathValidatorException: validity check failed

b) The aucore container cannot start due to "Elasticsearch is not ready". The logs of the aucore container (docker logs aaf_aucore_1) contain the warning:

WARNI [aucore.scripts.wait_elastic] ConnectionTimeout caused by - ReadTimeoutError(HTTPSConnectionPool(host='', port=9200): Read timed out. (read timeout=1))

The logs of the searchd container (docker logs aaf_searchd_1) contain the error:

[2021-05-11T21:27:17,138][ERROR][c.f.s.s.h.n.SearchGuardSSLNettyHttpServerTransport] [NODE-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_expired


Check the certificates expiry status:

Enter the searchd container:

# docker exec -it aaf_searchd_1 bash

Grab keystore password: 

cat $AUCORE_DATA/es_data.json | grep keystore

Check the expiry status:

$JAVA_HOME/bin/keytool -v -list -keystore /usr/share/elasticsearch/config/searchguard/ssl/NODE-1-keystore.jks | grep "Valid from"

$JAVA_HOME/bin/keytool -v -list -keystore /usr/share/elasticsearch/config/searchguard/ssl/elastic-keystore.jks | grep "Valid from"


Before the following steps, it's strongly recommended to make a snapshot.


Re-generate the certificates:

Run inside the searchd container:

cd $ES_HOME/config/searchguard/ssl && rm .ca_pwd .ts_pwd .ks_pwd

Exit from the container:


Restart the searchd container:

docker restart aaf_searchd_1



On bootstrap the searchd container generates SSL certificates for 2 years. This Advanced Authentication server was installed more than 2 years ago and the SSL certificates have expired.

Additional Information

The certificates will be automatically generated since the version 6.3.5.