Merge pull request #15264 from Security-Onion-Solutions/reyesj2-patch-2

add force & certs flag to update fleet certs as needed
add --certs flag to update certs. Used with --force, to ensure certs are updated even if hosts update isn't needed
2026-01-08 01:03:13 +01:00 · 2025-12-01 11:11:25 -06:00 · 2025-11-25 16:16:19 -06:00
7 changed files with 107 additions and 51 deletions
--- a/salt/ca/files/signing_policies.conf
+++ b/salt/ca/files/signing_policies.conf
@@ -10,7 +10,7 @@ x509_signing_policies:
    - keyUsage: "digitalSignature, nonRepudiation"
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
-    - days_valid: 9
+    - days_valid: 820
    - copypath: /etc/pki/issued_certs/
  registry:
    - minions: '*'
@@ -24,7 +24,7 @@ x509_signing_policies:
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
    - extendedKeyUsage: serverAuth
-    - days_valid: 9
+    - days_valid: 820
    - copypath: /etc/pki/issued_certs/
  managerssl:
    - minions: '*'
@@ -38,7 +38,7 @@ x509_signing_policies:
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
    - extendedKeyUsage: serverAuth
-    - days_valid: 9
+    - days_valid: 820
    - copypath: /etc/pki/issued_certs/
  influxdb:
    - minions: '*'
@@ -52,7 +52,7 @@ x509_signing_policies:
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
    - extendedKeyUsage: serverAuth
-    - days_valid: 9
+    - days_valid: 820
    - copypath: /etc/pki/issued_certs/
  elasticfleet:
    - minions: '*'
@@ -65,7 +65,7 @@ x509_signing_policies:
    - keyUsage: "digitalSignature, nonRepudiation"
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
-    - days_valid: 9
+    - days_valid: 820
    - copypath: /etc/pki/issued_certs/
  kafka:
    - minions: '*'
@@ -79,5 +79,5 @@ x509_signing_policies:
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
    - extendedKeyUsage: "serverAuth, clientAuth"
-    - days_valid: 9
+    - days_valid: 820
    - copypath: /etc/pki/issued_certs/
--- a/salt/ca/init.sls
+++ b/salt/ca/init.sls
@@ -39,8 +39,8 @@ pki_public_ca_crt:
    - extendedkeyUsage: "serverAuth, clientAuth"
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid:always, issuer
-    - days_valid: 11
-    - days_remaining: 7
+    - days_valid: 3650
+    - days_remaining: 0
    - backup: True
    - replace: False
    - require:
--- a/salt/elasticfleet/enabled.sls
+++ b/salt/elasticfleet/enabled.sls
@@ -32,6 +32,16 @@ so-elastic-fleet-auto-configure-logstash-outputs:
    - retry:
        attempts: 4
        interval: 30
+
+{# Separate from above in order to catch elasticfleet-logstash.crt changes and force update to fleet output policy #}
+so-elastic-fleet-auto-configure-logstash-outputs-force:
+  cmd.run:
+    - name: /usr/sbin/so-elastic-fleet-outputs-update --force --certs
+    - retry:
+        attempts: 4
+        interval: 30
+    - onchanges:
+        - x509: etc_elasticfleet_logstash_crt
 {% endif %}

 # If enabled, automatically update Fleet Server URLs & ES Connection
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update
@@ -8,6 +8,27 @@

 . /usr/sbin/so-common

+FORCE_UPDATE=false
+UPDATE_CERTS=false
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -f|--force)
+      FORCE_UPDATE=true
+      shift
+      ;;
+    -c| --certs)
+      UPDATE_CERTS=true
+      shift
+      ;;
+    *)
+      echo "Unknown option $1"
+      echo "Usage: $0 [-f|--force] [-c|--certs]"
+      exit 1
+      ;;
+  esac
+done
+
 # Only run on Managers
 if ! is_manager_node; then
    printf "Not a Manager Node... Exiting"
@@ -17,17 +38,42 @@ fi
 function update_logstash_outputs() {
    if logstash_policy=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/outputs/so-manager_logstash" --retry 3 --retry-delay 10 --fail 2>/dev/null); then
        SSL_CONFIG=$(echo "$logstash_policy" | jq -r '.item.ssl')
+        LOGSTASHKEY=$(openssl rsa -in  /etc/pki/elasticfleet-logstash.key)
+        LOGSTASHCRT=$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt)
+        LOGSTASHCA=$(openssl x509 -in  /etc/pki/tls/certs/intca.crt)
        if SECRETS=$(echo "$logstash_policy" | jq -er '.item.secrets' 2>/dev/null); then
-            JSON_STRING=$(jq -n \
-                --arg UPDATEDLIST "$NEW_LIST_JSON" \
-                --argjson SECRETS "$SECRETS" \
-                --argjson SSL_CONFIG "$SSL_CONFIG" \
-                '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl": $SSL_CONFIG,"secrets": $SECRETS}')
+            if [[ "$UPDATE_CERTS" != "true"  ]]; then
+                # Reuse existing secret
+                JSON_STRING=$(jq -n \
+                    --arg UPDATEDLIST "$NEW_LIST_JSON" \
+                    --argjson SECRETS "$SECRETS" \
+                    --argjson SSL_CONFIG "$SSL_CONFIG" \
+                    '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl": $SSL_CONFIG,"secrets": $SECRETS}')
+            else
+                # Update certs, creating new secret
+                JSON_STRING=$(jq -n \
+                    --arg UPDATEDLIST "$NEW_LIST_JSON" \
+                    --arg LOGSTASHKEY "$LOGSTASHKEY" \
+                    --arg LOGSTASHCRT "$LOGSTASHCRT" \
+                    --arg LOGSTASHCA "$LOGSTASHCA" \
+                    '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl": {"certificate": $LOGSTASHCRT,"certificate_authorities":[ $LOGSTASHCA ]},"secrets": {"ssl":{"key": $LOGSTASHKEY }}}')
+            fi
        else
-            JSON_STRING=$(jq -n \
-                --arg UPDATEDLIST "$NEW_LIST_JSON" \
-                --argjson SSL_CONFIG "$SSL_CONFIG" \
-                '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl": $SSL_CONFIG}')
+            if [[ "$UPDATE_CERTS" != "true" ]]; then
+                # Reuse existing ssl config
+                JSON_STRING=$(jq -n \
+                    --arg UPDATEDLIST "$NEW_LIST_JSON" \
+                    --argjson SSL_CONFIG "$SSL_CONFIG" \
+                    '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl": $SSL_CONFIG}')
+            else
+                # Update ssl config
+                JSON_STRING=$(jq -n \
+                    --arg UPDATEDLIST "$NEW_LIST_JSON" \
+                    --arg LOGSTASHKEY "$LOGSTASHKEY" \
+                    --arg LOGSTASHCRT "$LOGSTASHCRT" \
+                    --arg LOGSTASHCA "$LOGSTASHCA" \
+                    '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl": {"certificate": $LOGSTASHCRT,"key": $LOGSTASHKEY,"certificate_authorities":[ $LOGSTASHCA ]}}')
+            fi
        fi
    fi

@@ -151,7 +197,7 @@ NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "$
 NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}')

 # Compare the current & new list of outputs - if different, update the Logstash outputs
-if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
+if [[ "$NEW_HASH" = "$CURRENT_HASH" ]] && [[ "$FORCE_UPDATE" != "true" ]]; then
    printf "\nHashes match - no update needed.\n"
    printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"

--- a/salt/kafka/ssl.sls
+++ b/salt/kafka/ssl.sls
@@ -44,8 +44,8 @@ kafka_client_crt:
    - signing_policy: kafka
    - private_key: /etc/pki/kafka-client.key
    - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 7
-    - days_valid: 9
+    - days_remaining: 0
+    - days_valid: 820
    - backup: True
    - timeout: 30
    - retry:
@@ -92,8 +92,8 @@ kafka_crt:
    - signing_policy: kafka
    - private_key: /etc/pki/kafka.key
    - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 7
-    - days_valid: 9
+    - days_remaining: 0
+    - days_valid: 820
    - backup: True
    - timeout: 30
    - retry:
@@ -153,8 +153,8 @@ kafka_logstash_crt:
    - signing_policy: kafka
    - private_key: /etc/pki/kafka-logstash.key
    - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 7
-    - days_valid: 9
+    - days_remaining: 0
+    - days_valid: 820
    - backup: True
    - timeout: 30
    - retry:
@@ -198,4 +198,4 @@ kafka_logstash_pkcs12_perms:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed

-{% endif %}
+{% endif %}
--- a/salt/nginx/enabled.sls
+++ b/salt/nginx/enabled.sls
@@ -64,8 +64,8 @@ managerssl_crt:
    - private_key: /etc/pki/managerssl.key
    - CN: {{ GLOBALS.hostname }}
    - subjectAltName: "DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}, DNS:{{ GLOBALS.url_base }}" 
-    - days_remaining: 7
-    - days_valid: 9
+    - days_remaining: 0
+    - days_valid: 820
    - backup: True
    - timeout: 30
    - retry:
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -84,8 +84,8 @@ influxdb_crt:
    - private_key: /etc/pki/influxdb.key
    - CN: {{ GLOBALS.hostname }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} 
-    - days_remaining: 7
-    - days_valid: 9
+    - days_remaining: 0
+    - days_valid: 820
    - backup: True
    - timeout: 30
    - retry:
@@ -123,8 +123,8 @@ redis_crt:
    - signing_policy: registry
    - private_key: /etc/pki/redis.key
    - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 7
-    - days_valid: 9
+    - days_remaining: 0
+    - days_valid: 820
    - backup: True
    - timeout: 30
    - retry:
@@ -165,8 +165,8 @@ etc_elasticfleet_crt:
    - private_key: /etc/pki/elasticfleet-server.key
    - CN: {{ GLOBALS.hostname }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
-    - days_remaining: 7
-    - days_valid: 9
+    - days_remaining: 0
+    - days_valid: 820
    - backup: True
    - timeout: 30
    - retry:
@@ -222,8 +222,8 @@ etc_elasticfleet_logstash_crt:
    - private_key: /etc/pki/elasticfleet-logstash.key
    - CN: {{ GLOBALS.hostname }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
-    - days_remaining: 7
-    - days_valid: 9
+    - days_remaining: 0
+    - days_valid: 820
    - backup: True
    - timeout: 30
    - retry:
@@ -283,8 +283,8 @@ etc_elasticfleetlumberjack_crt:
    - private_key: /etc/pki/elasticfleet-lumberjack.key
    - CN: {{ GLOBALS.node_ip }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}
-    - days_remaining: 7
-    - days_valid: 9
+    - days_remaining: 0
+    - days_valid: 820
    - backup: True
    - timeout: 30
    - retry:
@@ -350,8 +350,8 @@ etc_elasticfleet_agent_crt:
    - signing_policy: elasticfleet
    - private_key: /etc/pki/elasticfleet-agent.key
    - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 7
-    - days_valid: 9
+    - days_remaining: 0
+    - days_valid: 820
    - backup: True
    - timeout: 30
    - retry:
@@ -412,8 +412,8 @@ etc_filebeat_crt:
    - private_key: /etc/pki/filebeat.key
    - CN: {{ GLOBALS.hostname }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 7
-    - days_valid: 9
+    - days_remaining: 0
+    - days_valid: 820
    - backup: True
    - timeout: 30
    - retry:
@@ -483,8 +483,8 @@ registry_crt:
    - signing_policy: registry
    - private_key: /etc/pki/registry.key
    - CN: {{ GLOBALS.manager }}
-    - days_remaining: 7
-    - days_valid: 9
+    - days_remaining: 0
+    - days_valid: 820
    - backup: True
    - timeout: 30
    - retry:
@@ -521,8 +521,8 @@ regkeyperms:
    - private_key: /etc/pki/elasticsearch.key
    - CN: {{ GLOBALS.hostname }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 7
-    - days_valid: 9
+    - days_remaining: 0
+    - days_valid: 820
    - backup: True
    - timeout: 30
    - retry:
@@ -582,8 +582,8 @@ conf_filebeat_crt:
    - private_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
    - CN: {{ GLOBALS.hostname }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 7
-    - days_valid: 9
+    - days_remaining: 0
+    - days_valid: 820
    - backup: True
    - timeout: 30
    - retry:
@@ -636,8 +636,8 @@ chownfilebeatp8:
    - private_key: /etc/pki/elasticsearch.key
    - CN: {{ GLOBALS.hostname }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 7
-    - days_valid: 9
+    - days_remaining: 0
+    - days_valid: 820
    - backup: True
    - timeout: 30
    - retry:
@@ -686,8 +686,8 @@ elasticfleet_kafka_crt:
    - private_key: /etc/pki/elasticfleet-kafka.key
    - CN: {{ GLOBALS.hostname }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 7
-    - days_valid: 9
+    - days_remaining: 0
+    - days_valid: 820
    - backup: True
    - timeout: 30
    - retry:
Author	SHA1	Message	Date
Jorge Reyes	6fbed2dd9f	Merge pull request #15264 from Security-Onion-Solutions/reyesj2-patch-2 add force & certs flag to update fleet certs as needed	2025-12-01 11:11:25 -06:00
reyesj2	edf3c9464f	add --certs flag to update certs. Used with --force, to ensure certs are updated even if hosts update isn't needed	2025-11-25 16:16:19 -06:00