Environment
Situation
...ERROR ... - SSL Problem General SSLEngine problem
[ERROR]...fatal alert: certificate_unknown
....CertPathValidatorException: validity check failed
b) The aucore container cannot start due to "Elasticsearch is not ready". The logs of the aucore container (docker logs aaf_aucore_1) contain the warning:
[2021-05-11T21:27:17,138][ERROR][c.f.s.s.h.n.SearchGuardSSLNettyHttpServerTransport] [NODE-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_expired
Resolution
Check the certificates expiry status:
Enter the searchd container:
# docker exec -it aaf_searchd_1 bash
Grab keystore password:
cat $AUCORE_DATA/es_data.json | grep keystore
Check the expiry status:
$JAVA_HOME/bin/keytool -v -list -keystore /usr/share/elasticsearch/config/searchguard/ssl/NODE-1-keystore.jks | grep "Valid from"
$JAVA_HOME/bin/keytool -v -list -keystore /usr/share/elasticsearch/config/searchguard/ssl/elastic-keystore.jks | grep "Valid from"
Before the following steps, it's strongly recommended to make a snapshot.
Re-generate the certificates:
Run inside the searchd container:
cd $ES_HOME/config/searchguard/ssl && rm .ca_pwd .ts_pwd .ks_pwd
Exit from the container:
exit
Restart the searchd container:
docker restart aaf_searchd_1