Error self-signed certificate

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
FROM opensearchproject/opensearch:2.14.0
FROM opensearchproject/opensearch-dashboards:2.14.0

Describe the issue:
I’m trying to configure TSL/SSL certificate on HTTP and REST layer on opensearch + dashboard on signle node configuration but it kept sending me this error :

{"type":"log","@timestamp":"2024-06-12T11:20:04Z","tags":["error","opensearch","data"],"pid":1,"message":"[ConnectionError]: self-signed certificate"}
{"type":"log","@timestamp":"2024-06-12T11:20:06Z","tags":["error","opensearch","data"],"pid":1,"message":"[ConnectionError]: self-signed certificate"}

Configuration:
compose file

---
version: '3'
services:
  opensearch-node:
    build:
      context: .
      dockerfile: ./node-compose
    container_name: opensearch-node
    ports:
      - 9200:9200
    environment:
      - discovery.type=single-node
      - "DISABLE_INSTALL_DEMO_CONFIG=true"
      - bootstrap.memory_lock=true
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
      - "OPENSEARCH_INITIAL_ADMIN_PASSWORD=admin"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - opensearch-data:/usr/share/opensearch/data
    networks:
      - opensearch-net
  opensearch-dashboard:
    build:
      context: .
      dockerfile: ./dashboards-compose
    container_name: opensearch-dashboard
    ports:
      - 5601:5601
    networks:
      - opensearch-net
volumes:
  opensearch-data:
networks:
  opensearch-net:

node compose

FROM opensearchproject/opensearch:2.14.0
ADD ./certs/root-ca.pem /usr/share/opensearch/config/root-ca.pem
ADD ./certs/node.pem /usr/share/opensearch/config/node.pem
ADD ./certs/node-key.pem /usr/share/opensearch/config/node-key.pem
ADD ./certs/admin.pem /usr/share/opensearch/config/admin.pem
ADD ./certs/admin-key.pem /usr/share/opensearch/config/admin-key.pem
# ADD custom-security-config.yml /usr/share/opensearch/opensearch-security/config.yml
# ADD custom_roles_mapping.yml /usr/share/opensearch/opensearch-security/roles_mapping.yml
ADD custom-opensearch.yml /usr/share/opensearch/config/opensearch.yml
USER root
RUN chown -R 1000:1000 /usr/share/opensearch/config/
RUN chmod 0700 /usr/share/opensearch/config/
RUN chmod 0600 /usr/share/opensearch/config/opensearch.yml
RUN chmod 0600 /usr/share/opensearch/config/admin.pem
RUN chmod 0600 /usr/share/opensearch/config/admin-key.pem
RUN chmod 0600 /usr/share/opensearch/config/node.pem
RUN chmod 0600 /usr/share/opensearch/config/node-key.pem
RUN chmod 0600 /usr/share/opensearch/config/root-ca.pem
USER opensearch

opensearch.yml

---
network.host: 0.0.0.0
bootstrap.memory_lock: true

plugins.security.disabled: false

plugins.security.ssl.transport.pemcert_filepath: node.pem
plugins.security.ssl.transport.pemkey_filepath: node-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem

plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: node.pem
plugins.security.ssl.http.pemkey_filepath: node-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem

plugins.security.allow_unsafe_democertificates: false
plugins.security.authcz.admin_dn:
  - '########'
plugins.security.nodes_dn:
  - '########'
plugins.security.allow_default_init_securityindex: true
# plugins.security.http.compression: true
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"]

dashboard-compose

FROM opensearchproject/opensearch-dashboards:2.14.0
ADD ./certs/root-ca.pem /usr/share/opensearch-dashboards/config/root-ca.pem
ADD ./certs/dashboard.pem /usr/share/opensearch-dashboards/config/dashboard.pem
ADD ./certs/dashboard-key.pem /usr/share/opensearch-dashboards/config/dashboard-key.pem
ADD custom_opensearch_dashboards.yml /usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
USER root
RUN chown -R 1000:1000 /usr/share/opensearch-dashboards/config
USER opensearch-dashboards

opensearch-dashboard.yml

---
opensearch.username: dashboards
opensearch.password: *********
server.host: '0.0.0.0'
opensearch.hosts: ["https://opensearch-node:9200"]

server.ssl.enabled: true
server.ssl.certificate: /usr/share/opensearch-dashboards/config/dashboard.pem
server.ssl.key: /usr/share/opensearch-dashboards/config/dashboard-key.pem
opensearch.ssl.verificationMode: certificate
opensearch.ssl.certificateAuthorities: ["/usr/share/opensearch-dashboards/config/root-ca.pem"]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: true

and generating cert&key following the official doc

Relevant Logs or Screenshots:

{"type":"log","@timestamp":"2024-06-12T11:20:04Z","tags":["error","opensearch","data"],"pid":1,"message":"[ConnectionError]: self-signed certificate"}
{"type":"log","@timestamp":"2024-06-12T11:20:06Z","tags":["error","opensearch","data"],"pid":1,"message":"[ConnectionError]: self-signed certificate"}
2

Hi @Hogo1 ,

I have noticed that you missed a few lines in your configs. I will be good to add them.

  1. If you use multitenancy, you need to add the following lines in your opensearch-dashboard.yml
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true
  1. Please open the port 9300 too in your opensearch-node container.
3

HI, thanks for reply
here is the new configuration but i’m not sure that will be it for the self signed certificate error

container-compose.yml

---
version: '3'
services:
  opensearch-node:
    build:
      context: .
      dockerfile: ./node-compose
    container_name: opensearch-node
    ports:
      - 9200:9200
      - 9300:9300
    environment:
      - discovery.type=single-node
      - "DISABLE_INSTALL_DEMO_CONFIG=true"
      - bootstrap.memory_lock=true
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
      - "OPENSEARCH_INITIAL_ADMIN_PASSWORD=admin"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - opensearch-data:/usr/share/opensearch/data
    networks:
      - opensearch-net
  opensearch-dashboard:
    build:
      context: .
      dockerfile: ./dashboards-compose
    container_name: opensearch-dashboard
    ports:
      - 5601:5601
    networks:
      - opensearch-net
volumes:
  opensearch-data:
networks:
  opensearch-net:

custom_opensearch_dashboards.yml

---
server.host: '0.0.0.0'
server.ssl.enabled: true
server.ssl.certificate: /usr/share/opensearch-dashboards/config/dashboard.pem
server.ssl.key: /usr/share/opensearch-dashboards/config/dashboard-key.pem

opensearch.hosts: ["https://opensearch-node:9200"]
opensearch.username: dashboards
opensearch.password: ##################
opensearch.ssl.verificationMode: certificate
opensearch.ssl.certificateAuthorities: ["/usr/share/opensearch-dashboards/config/root-ca.pem"]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true
opensearch_security.cookie.secure: true
4

@Hogo1,

Please make sure that you use the root CA of the OpenSearch node in the opensearch.ssl.certificateAuthorities configuration.

In the opensearch-dashboards.yml file, there is a parameter:

opensearch.username: dashboards

This is not a default user. You need to create this user in the config.yml file or use the default kibanaserver user.

5

Yes i used only one root CA on this configuration,
and i need to create the user in the config file opensaerch.yml or internal_user ?

6

Hi @Hogo1 ,

You can add a new user to the internal_users.yml file. You can find more information about that in the following documentation:

I have just tested it in my lab. It works after adding a new user to the config file.

7

Hi,
I tried to reload internal users after modifying it with securityadmin.sh, but it kept sending me the same error

image
image814×484 15.4 KB

8

According to the tests in my lab, a new user will be added with no need to execute securityadmin.sh tool in Docker.

Have you tried using demo certificates? Did you use the following documentation to generate your certificates?

9

I tried both demo and self-signed certificate from official doc

sudo openssl genrsa -out root-ca-key.pem 4096
sudo openssl req -new -x509 -sha256 -key root-ca-key.pem -subj  -out root-ca.pem -days 358000

sudo openssl genrsa -out admin-key-temp.pem 4096
sudo openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
sudo openssl req -new -key admin-key.pem -addext "extendedKeyUsage = serverAuth, clientAuth" -out admin.csr
sudo openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 358000

sudo openssl genrsa -out node-key-temp.pem 4096
sudo openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pem
sudo openssl req -new -key node-key.pem -addext "extendedKeyUsage = serverAuth, clientAuth" -out node.csr
sudo openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem -days 358000

sudo openssl genrsa -out dashboard-key-temp.pem 4096
sudo openssl pkcs8 -inform PEM -outform PEM -in dashboard-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out dashboard-key.pem
sudo openssl req -new -key dashboard-key.pem -addext "extendedKeyUsage = serverAuth, clientAuth" -out dashboard.csr
sudo openssl x509 -req -in dashboard.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out dashboard.pem -days 358000

sudo openssl x509 -subject -nameopt RFC2253 -noout -in root-ca.pem -text
sudo openssl x509 -subject -nameopt RFC2253 -noout -in node.pem -text
sudo openssl x509 -subject -nameopt RFC2253 -noout -in admin.pem
sudo openssl x509 -subject -nameopt RFC2253 -noout -in dashboard.pem -text

# Cleanup
sudo rm -f *temp.pem *csr *ext
10

Hi @Hogo1 ,

I compared your configurations with the out-of-the-box configurations for the Docker container.

I think you have missed a few configurations.
Please try adding to the opensearch.yml the following lines:

plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false

Also, please add the following parameters to the opensearch-dashboards.yml file:

opensearch.ssl.certificate
opensearch.ssl.key

You can find the description for each of these parameters in the GitHub: