CA Signed Certificates

michael.anderton · May 27, 2022, 3:05pm

Hello!!

I am configuring CA signed certificates to use with a production ready opensearch install using docker-compose. First I have to ask if certificates MUST be in PEM format? I am using a windows CA and I can get a .pfx file and extract/convert the key and certificate. The issue I am having at the moment is that opensearch says it can not read the file with the following error.

“Likely root cause: OpenSearchException[Unable to read /usr/share/opensearch/config/opensearch-cert.pem (/usr/share/opensearch/config/opensearch-cert.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath]”

I have tried different certificate formats, opening the permissions to 777. I am not sure what to try next, any help would be greatly appreciated.

reshippie · May 27, 2022, 5:30pm

The files specified by plugins.security.ssl.transport.pemkey_filepath and plugins.security.ssl.http.pemkey_filepath actually need to in the PKCS8 (.pk8) format.
You should be able to convert your .pfx file to .pk8 with openssl.

michael.anderton · May 27, 2022, 6:01pm

@reshippie I will give this a shot! Are you saying that the files simply being in .pk8 format will solve the permissions issue or will I be facing the same error after converting?

reshippie · May 27, 2022, 6:05pm

I would expect it to work, as long as your Opensearch process has read-access to the file.

michael.anderton · May 27, 2022, 6:20pm

@reshippie I completed the conversion and I get the exact same error. Everything should have read permissions, I have them set to 777 on the entire file path all the way to the certificate itself.

reshippie · May 27, 2022, 6:30pm

Do you have all of your other configuration files, like opensearch.yml in /usr/share/opensearch/config or are they in someplace like /etc/opensearch? I’ve found that Opensearch wants to have the certificates in the same path as its configs.

michael.anderton · May 27, 2022, 6:45pm

I am using docker-compose so my opensearch.yml file is in the same dir as my docker-compose.yml file so I enable the opensearch.yml file in the volumes section of docker-compose. Inside my opensearch.yml file is where I see the above error happen.

reshippie · May 27, 2022, 6:51pm

If the Opensearch binary can find its config file and the certificate file in the same directory, or in a subdirectory, then I’m unfortunately out of ideas of what could be wrong. Sorry.

kris · June 6, 2022, 9:06pm

moved to Security category

pablo · June 8, 2022, 2:23pm

@michael.anderton Could you share your docker-compose.yml content?

nateynate · June 8, 2022, 7:37pm

Mode 777 is likely what’s causing your error. You don’t want to give the ‘other’ users read/write/execute permissions to your private key. OpenSSL will complain if you attempt to use a key that has insecure permissions.

I would make sure the owner and group have read/write and nothing for everyone else. Try a chmod 400

-Nate

Topic		Replies	Views
Windows CA Certificates Security troubleshoot , configure	6	982	August 16, 2022
SSL Certificate Error "unknown_certificate" Security	32	7247	August 17, 2022
TLS configuration with organizational certs Security troubleshoot , configure	2	617	January 21, 2022
Opensearch truststore issue Security	4	2090	June 21, 2023
Opensearch certificate Security	1	930	May 23, 2023

CA Signed Certificates

Related topics