News

Migrating the Certificate Authority (CA) for Elasticsearch Service to Let’s Encrypt

By
Shubha Anjur Tupil

At Elastic Cloud we are committed to offering our customers the most secure way to run their workloads in the cloud. To help ensure this commitment, we are migrating our TLS certificates to Let’s Encrypt to best support sustainable and fully automated certificate management as our product offerings and available regions continue to expand.

These changes will begin rolling out to Elastic Cloud regions beginning October 4, 2021, and are expected to be completed in all regions by October 29, 2021. 

The first region will be Azure southcentralus on October 4, 2021. After updating this region, we will pause the rollout to other regions for 14 days to allow for client validation. The remaining regions will begin being updated on October 18, 2021. We will post updates on our status page as the roll out happens across regions.

What is the change? 

We are migrating the TLS certificate on Elastic Cloud from DigiCert to Let’s Encrypt. The change in the Certification Authority (CA) might have an impact on some clients. Read more in the next sections. 

What is the impact on me?  

If you use clients that are not compatible with the Let’s Encrypt ISRG Root X1 certificate (see known incompatibilities), you must upgrade the clients or your certificate stores in order to trust the new certificates. 

How can I validate that my client supports the new certificate?

Let’s Encrypt capability information can be found at https://letsencrypt.org/docs/certificate-compatibility/ and certificate details can be found at https://letsencrypt.org/certificates/

Below are some common ways to validate that your certificate stores trust the Let’s Encrypt certificate:

Validate with OpenSSL using the following command: 

openssl s_client -servername valid-isrgrootx1.letsencrypt.org -showcerts -connect valid-isrgrootx1.letsencrypt.org:443

Validate with any http client against the following URL: 

https://valid-isrgrootx1.letsencrypt.org/

We will also be updating Azure southcentralus on October 4, 2021, with a 14-day validation window before moving forward with other regions. You can test clients against existing or new deployments in this region to validate they work with the new certificate.

What should I do if I have clients that do not support the Let’s Encrypt ISRG Root X1 certificate?

If there are many teams at your organization using various clients, we recommend sending them a note on the upcoming changes encouraging them to update their clients. If you still don’t know what to do, reach out to support@elastic.co

What will happen if I do nothing?

If your clients already support the new ISRG Root X1 certificate, then they will continue to work without issue. If you are running clients that do not support the new ISRG Root X1 certificate, these clients will not be able to establish a connection with your Elasticsearch cluster. 

All Elasticsearch Service customers will be contacted by email about these changes, we will send regular email reminders and status page updates closer to the dates when the changes will roll out.