CA Signed Certificates

Hello!!

I am configuring CA signed certificates to use with a production ready opensearch install using docker-compose. First I have to ask if certificates MUST be in PEM format? I am using a windows CA and I can get a .pfx file and extract/convert the key and certificate. The issue I am having at the moment is that opensearch says it can not read the file with the following error.

“Likely root cause: OpenSearchException[Unable to read /usr/share/opensearch/config/opensearch-cert.pem (/usr/share/opensearch/config/opensearch-cert.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath]”

I have tried different certificate formats, opening the permissions to 777. I am not sure what to try next, any help would be greatly appreciated.

The files specified by plugins.security.ssl.transport.pemkey_filepath and plugins.security.ssl.http.pemkey_filepath actually need to in the PKCS8 (.pk8) format.
You should be able to convert your .pfx file to .pk8 with openssl.

@reshippie I will give this a shot! Are you saying that the files simply being in .pk8 format will solve the permissions issue or will I be facing the same error after converting?

I would expect it to work, as long as your Opensearch process has read-access to the file.

@reshippie I completed the conversion and I get the exact same error. Everything should have read permissions, I have them set to 777 on the entire file path all the way to the certificate itself.

Do you have all of your other configuration files, like opensearch.yml in /usr/share/opensearch/config or are they in someplace like /etc/opensearch? I’ve found that Opensearch wants to have the certificates in the same path as its configs.

I am using docker-compose so my opensearch.yml file is in the same dir as my docker-compose.yml file so I enable the opensearch.yml file in the volumes section of docker-compose. Inside my opensearch.yml file is where I see the above error happen.

If the Opensearch binary can find its config file and the certificate file in the same directory, or in a subdirectory, then I’m unfortunately out of ideas of what could be wrong. Sorry.

moved to Security category

@michael.anderton Could you share your docker-compose.yml content?

Mode 777 is likely what’s causing your error. You don’t want to give the ‘other’ users read/write/execute permissions to your private key. OpenSSL will complain if you attempt to use a key that has insecure permissions.

I would make sure the owner and group have read/write and nothing for everyone else. Try a chmod 400

-Nate