Certificate configuration Error

Spagedicode · June 15, 2023, 3:35pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
I am running opensearch 2.5.0 on Ubuntu 20.04.5 LTS. I tested my installation and everything worked fine when using self signed certificates.

Describe the issue:
In order for other members of my organisation to access the opensearch server the node certificate has to be signed by our root CA as well as the admin certificate. I do not have access to the root CA .pem file. I have the node and admin .pem files, which contain the entire certificate chain e.g.:

# common name
–BEGIN CERT—
–END CERT—
–BEGIN CERT—
–END CERT—
–BEGIN CERT—
–END CERT—

I picked the last cert and set it as

plugins.security.ssl.transport.pemtrustedcas_filepath

but now I get this error when running securityadmin.sh I can’t seam to resolve:

Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication

I think that error is quite evident but since I am not the CA I can’t just put TLS client auth onto the root certificate.

Configuration:
opensearch.yml:

plugins.security.ssl.transport.pemcert_filepath: node1.pem
plugins.security.ssl.transport.pemkey_filepath: node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: <last_cert_from_chain>.pem

securitiyadmin commnad:

./securityadmin.sh -cd /etc/opensearch/opensearch-security/ -cacert /etc/opensearch/<last_cert_from_chain>.pem -cert /etc/opensearch/opensearch_admin.pem -key /etc/opensearch/admin-key.pem -icl -nhnv

Gsmitt · June 15, 2023, 11:40pm

Hey @Spagedicode

your certificate must either be marked as having both clientAuth and serverAuth extended key usage, or not have that extension included at all. Your CA has made the choice to fill in the extended key usage extension with “serverAuth”, they can either put both “serverAuth” and “clientAuth” in there, or take the simpler option and not fill in that extension at all.

Spagedicode · June 19, 2023, 8:12am

Hey @Gsmitt,

I am not sure I quite understand which certificate you are referring to. Here is some more information.

**Root cert X509v3 extensions: **

        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                foo:bar:foo:bar:foo:bar
            
            X509v3 Certificate Policies:
                Policy: 2.16.840.1.113995.2.1.1
                  CPS: https://....

**Admin cert X509v3 extensions: **

 X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment

            X509v3 Extended Key Usage:
                TLS Web Server Authentication

**Node cert X509v3 extensions: **

        X509v3 extensions:
          
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            1.3.6.1.4.1

I ommited some of the extensions since I did not deem them important, but I left something important out please tell me and I will add it.

Gsmitt · June 19, 2023, 9:27pm

Hey @Spagedicode

Your node cert…

This might be why Opensearch is complaining. As for fixing it, i really dont know but this demo here helped me out on what I needed.

As for securityadmin.sh this is what I did. Using -h help resolve some issues I had

./securityadmin.sh -h opensearch.domain.com  -cd /etc/opensearch/opensearch-security/ -cacert /etc/opensearch/root-ca.pem -cert /etc/opensearch/admin.pem -key /etc/opensearch/admin-key.pem -icl -nhnv

Eugene7 · June 20, 2023, 1:22pm

Hi @Spagedicode!

Only the Node Certificates need both: clientAuth and serverAuth.
(So, based on the latest details you’ve shared, your Nodes Certs should be OK.)

However, the Admin Certificate should be a Client Certificate - therefore, it needs clientAuth, but currently has serverAuth.

Pease try by using a Client-Cert for your Admin Certificate.

Spagedicode · June 26, 2023, 8:19am

Thank you everyone, I was able to resolve it just like you told me.
Now both my node and client certificate have the following extended key usage.

X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication

Topic		Replies	Views
Securityadmin errors with certificates Security security-issue	13	2110	May 15, 2023
"Seems you use a node certificate which is also an admin certificate" - Error when running security script Security	1	645	March 6, 2023
Unable to apply SSL certificate Security	5	167	July 23, 2024
Transport Client Authentication Error Security troubleshoot , configure	41	259	September 2, 2024
TLS configuration with organizational certs Security troubleshoot , configure	2	643	January 21, 2022

Certificate configuration Error

Related topics