CA Signed Certificates


I am configuring CA signed certificates to use with a production ready opensearch install using docker-compose. First I have to ask if certificates MUST be in PEM format? I am using a windows CA and I can get a .pfx file and extract/convert the key and certificate. The issue I am having at the moment is that opensearch says it can not read the file with the following error.

“Likely root cause: OpenSearchException[Unable to read /usr/share/opensearch/config/opensearch-cert.pem (/usr/share/opensearch/config/opensearch-cert.pem). Please make sure this files exists and is readable regarding to permissions. Property:]”

I have tried different certificate formats, opening the permissions to 777. I am not sure what to try next, any help would be greatly appreciated.

The files specified by and actually need to in the PKCS8 (.pk8) format.
You should be able to convert your .pfx file to .pk8 with openssl.

@reshippie I will give this a shot! Are you saying that the files simply being in .pk8 format will solve the permissions issue or will I be facing the same error after converting?

I would expect it to work, as long as your Opensearch process has read-access to the file.

@reshippie I completed the conversion and I get the exact same error. Everything should have read permissions, I have them set to 777 on the entire file path all the way to the certificate itself.

Do you have all of your other configuration files, like opensearch.yml in /usr/share/opensearch/config or are they in someplace like /etc/opensearch? I’ve found that Opensearch wants to have the certificates in the same path as its configs.

I am using docker-compose so my opensearch.yml file is in the same dir as my docker-compose.yml file so I enable the opensearch.yml file in the volumes section of docker-compose. Inside my opensearch.yml file is where I see the above error happen.

If the Opensearch binary can find its config file and the certificate file in the same directory, or in a subdirectory, then I’m unfortunately out of ideas of what could be wrong. Sorry.

moved to Security category

@michael.anderton Could you share your docker-compose.yml content?

Mode 777 is likely what’s causing your error. You don’t want to give the ‘other’ users read/write/execute permissions to your private key. OpenSSL will complain if you attempt to use a key that has insecure permissions.

I would make sure the owner and group have read/write and nothing for everyone else. Try a chmod 400