Can't reload SSL certs via API

reshippie · May 24, 2023, 8:17pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch 2.2.0

Describe the issue:
using curl to hit the API endpoints for reloading certs returns a 400 error. This is for both HTTP _opendistro/_security/api/ssl/http/reloadcerts and Transport _opendistro/_security/api/ssl/transport/reloadcerts

I get a 403 when I try and download the certs via API _plugins/_security/api/ssl/certs. but SSL is working. I can see the correct certificate when I connect to the HTTPS endpoint.

Relevant Logs or Screenshots:

{"error":"no handler found for uri [/_opendistro/_security/api/ssl/http/reloadcerts] and method [PUT]"}%

reshippie · May 24, 2023, 9:20pm

I discovered that there’s a config flag that needs to be in opensearch.yml to allow the reload endpoints:

plugins.security.ssl_cert_reload_enabled: true

So I’m not getting 400 errors anymore, just 403. I have tried it with an LDAP user, that is configured to be part of a group with admin privs, as well as the root user itself. Both users get 403 Forbidden.

I assume there’s another setting I need someplace.

reshippie · May 24, 2023, 10:09pm

The solution was to use the admin certificate, that we otherwise only use with securityadmin.sh to authenticate, not use an LDAP user.

I also noticed that there is PR for performing these actions via authenticated user, but it is currently pending a security review.

jbh · June 15, 2023, 5:08pm

You are a legend, thanks for posting this. I’ve been in a missing documentation hole

ErtugrulSert · August 1, 2023, 10:55am

[sysadm@node1 ~]$ curl -XGET -k -u admin:admin ‘https://localhost:9200/_plugins/_security/api/ssl/certs’
{“status”:“FORBIDDEN”,“message”:“”}

I am also having forbidden and plugins.security.ssl_cert_reload_enabled: true is already in opensearch.yml. How can I force to use adm certs @reshippie ?

reshippie · August 1, 2023, 4:59pm

instead of using -u admin:admin use -E PATH_TO_YOUR_ADMIN_CERTIFICATE