Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): Opensearch 1.3.0
Describe the issue:
we are trying to install opensearch using operator on openshift.
we have already created secret for admin and ca, but CA certificate inside pod is showing folder and no file for ca certificate is getting created.
Here is the result from inside pod:
sh-4.2$ cat /usr/share/opensearch/config/tls-http/
ca.crt/ tls.crt tls.key
hence, we are getting error for opensearch:
Caused by: java.security.cert.CertificateException: could not find certificate file: /usr/share/opensearch/config/tls-http/ca.crt
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:69) ~[?:?]
at io.netty.huncaught exception in thread [main]
java.lang.IllegalStateException: failed to load plugin class
Please let us know what can be the root cause behind not creating file for ca.crt and creating folder with that name.
Also, what if I want to install 2.4 opensearch using operator?
Configuration:
opensearch.yml—
[12:45 PM] Sachin Mahale
sh-4.2$ cat config/opensearch.yml
plugins.security.audit.type: internal_opensearch
plugins.security.authcz.admin_dn: [“CN=admin,OU=my-cluster”]
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn: [“CN=my-cluster-,OU=my-cluster"]
plugins.security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: tls-http/tls.crt
plugins.security.ssl.http.pemkey_filepath: tls-http/tls.key
plugins.security.ssl.http.pemtrustedcas_filepath: tls-http/ca.crt
plugins.security.ssl.transport.enforce_hostname_verification: true
plugins.security.ssl.transport.pemcert_filepath: tls-transport/${HOSTNAME}.crt
plugins.security.ssl.transport.pemkey_filepath: tls-transport/${HOSTNAME}.key
plugins.security.ssl.transport.pemtrustedcas_filepath: tls-transport/ca.crt
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [“.opendistro-alerting-config”,".opendistro-alerting-alert”,“.opendistro-anomaly-results*”,“.opendistro-anomaly-detector*”,“.opendistro-anomaly-checkpoints”,“.opendistro-anomaly-detection-state”,“.opendistro-reports-“,”.opendistro-notifications-”,“.opendistro-notebooks”,“.opensearch-observability”,“.opendistro-asynchronous-search-response*”,“.replication-metadata-store”]
CR file starting contents:
apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
name: my-cluster
namespace: default
spec:
security:
tls: # Everything related to TLS configuration
http: # Configuration of the HTTP endpoint
generate: false # Have the Operator generate and sign certificates
secret:
name: my-tls-secret
caSecret:
name: my-ca-tls-secret
transport: # Configuration of the transport endpoint
generate: true # Have the operator generate and sign certificates
perNode: true # Separate certificate per node
Content of secret file:
[user@drinkers1 tools]$ oc get secret | grep tls
my-ca-tls-secret kubernetes.io/tls 2 21h
my-cluster-admin-cert kubernetes.io/tls 3 37m
my-tls-secret kubernetes.io/tls 2 37m
tls-secret kubernetes.io/tls 2 103d
Relevant Logs or Screenshots:
Caused by: java.security.cert.CertificateException: could not find certificate file: /usr/share/opensearch/config/tls-http/ca.crt
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:69) ~[?:?]
at io.netty.huncaught exception in thread [main]
java.lang.IllegalStateException: failed to load plugin class