I am configuring CA signed certificates to use with a production ready opensearch install using docker-compose. First I have to ask if certificates MUST be in PEM format? I am using a windows CA and I can get a .pfx file and extract/convert the key and certificate. The issue I am having at the moment is that opensearch says it can not read the file with the following error.
“Likely root cause: OpenSearchException[Unable to read /usr/share/opensearch/config/opensearch-cert.pem (/usr/share/opensearch/config/opensearch-cert.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath]”
I have tried different certificate formats, opening the permissions to 777. I am not sure what to try next, any help would be greatly appreciated.
The files specified by
plugins.security.ssl.http.pemkey_filepath actually need to in the PKCS8 (.pk8) format.
You should be able to convert your .pfx file to .pk8 with openssl.
@reshippie I will give this a shot! Are you saying that the files simply being in .pk8 format will solve the permissions issue or will I be facing the same error after converting?
I would expect it to work, as long as your Opensearch process has read-access to the file.
@reshippie I completed the conversion and I get the exact same error. Everything should have read permissions, I have them set to 777 on the entire file path all the way to the certificate itself.
Do you have all of your other configuration files, like opensearch.yml in
/usr/share/opensearch/config or are they in someplace like
/etc/opensearch? I’ve found that Opensearch wants to have the certificates in the same path as its configs.
I am using docker-compose so my opensearch.yml file is in the same dir as my docker-compose.yml file so I enable the opensearch.yml file in the volumes section of docker-compose. Inside my opensearch.yml file is where I see the above error happen.
If the Opensearch binary can find its config file and the certificate file in the same directory, or in a subdirectory, then I’m unfortunately out of ideas of what could be wrong. Sorry.
moved to Security category
@michael.anderton Could you share your docker-compose.yml content?
Mode 777 is likely what’s causing your error. You don’t want to give the ‘other’ users read/write/execute permissions to your private key. OpenSSL will complain if you attempt to use a key that has insecure permissions.
I would make sure the owner and group have read/write and nothing for everyone else. Try a