Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch 2.2.0
Describe the issue:
using curl
to hit the API endpoints for reloading certs returns a 400 error. This is for both HTTP _opendistro/_security/api/ssl/http/reloadcerts
and Transport _opendistro/_security/api/ssl/transport/reloadcerts
I get a 403 when I try and download the certs via API _plugins/_security/api/ssl/certs
. but SSL is working. I can see the correct certificate when I connect to the HTTPS endpoint.
Relevant Logs or Screenshots:
{"error":"no handler found for uri [/_opendistro/_security/api/ssl/http/reloadcerts] and method [PUT]"}%
I discovered that there’s a config flag that needs to be in opensearch.yml
to allow the reload endpoints:
plugins.security.ssl_cert_reload_enabled: true
So I’m not getting 400 errors anymore, just 403. I have tried it with an LDAP user, that is configured to be part of a group with admin privs, as well as the root user itself. Both users get 403 Forbidden
.
I assume there’s another setting I need someplace.
The solution was to use the admin certificate, that we otherwise only use with securityadmin.sh
to authenticate, not use an LDAP user.
I also noticed that there is PR for performing these actions via authenticated user, but it is currently pending a security review.