Error with a Let's Encrypt cert

thedraketaylor · July 20, 2024, 10:47pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch version: 2.15.0
OS version: Ubuntu 22.04.01
Install method: deb

Describe the issue:
I am an extreme noob when it comes to tls. I’m trying to set up a multi-node cluster using Let’s encrypt certs. I have a domain that I use for in-house development. I created the first cert using:

sudo certbot certonly --manual --preferred-challenges dns -d giggles.drake.rip

This generates 4 files:

cert1.pem
privkey1.pem
chain1.pem
fullchain1.pem

I copied the files to the Opensearch server into /etc/opensearch/certs and ran a chown on all of them to make them owned by the user “opensearch”. I edited my opensearch.yml file to the below and restarted opensearch. I tried running the following curl command:

curl -XGET  -u 'admin:<Password>' 'https://giggles.drake.rip:9200'

And I get the error:

curl: (60) SSL certificate problem: unable to get local issuer certificate

Can someone tell me what I’m missing? Like I said, I’m new to this so I figure it’s got to be simple.

Thanks!

Configuration:
/etc/opensearch.yml:

cluster.name: my-app
node.name: giggles
node.roles: ["master", "data"]
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
network.host: 192.168.23.90
discovery.seed_hosts: ["192.168.23.90"]
cluster.initial_cluster_manager_nodes: ["giggles"]

######## Start OpenSearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/certs/cert1.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/certs/privkey1.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/certs/fullchain1.pem
plugins.security.ssl.transport.enforce_hostname_verification: true
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/certs/cert1.pem
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/certs/privkey1.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/certs/fullchain1.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn: ['CN=kirk,OU=client,O=client,L=test,C=de']
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
  .plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,
  .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,
  .plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,
  .opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,
  .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,
  .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,
  .opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
  .geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
  .plugins-flow-framework-state]
node.max_local_storage_nodes: 3
######## End OpenSearch Security Demo Configuration ########

Gsmitt · July 21, 2024, 6:20pm

hey @thedraketaylor

couple questions, the certificates should match.

plugins.security.authcz.admin_dn: ['CN=kirk,OU=client,O=client,L=test,C=de']

also did you configure OpenSearch dashboard with the same certificates?

thedraketaylor · July 22, 2024, 3:08am

Hi @Gsmitt ,

In this case I’ve not installed dashboards yet. I just ran the curl command from another machine. I’ve stopped the firewall on the Opensearch server to take that out of the equation.

Anthony · August 9, 2024, 10:36am

@thedraketaylor There are a couple of things to keep in mind when working with certificates in OpenSearch.

OpenSearch needs to know which certificates are “node” certificates, which does not seem to be listed in your opensearch.yml file, see further details configuring-node-certificates

Once this is complete, you should ensure that the certificates are indeed configured correctly, as both cliethAuth and ServerAuth. For example you can have a look at the demo certificates which are generated using install_demo_configuration.sh (located in …/opensearch/plugins/opensearch-security/tools/)
You can use command line tools like openssl with below command to view the certificate internals:

openssl x509 -in <cert> -text -noout

thedraketaylor · August 9, 2024, 3:21pm

@Anthony ,

Thanks! I’ve got some time this weekend I’ll look into this.

Topic		Replies	Views
How to configure Let's encrypt ssl certificate for OpenSearch Dashboard and for data prepper? Security configure	3	1295	September 28, 2023
Received fatal alert: certificate_unknown (letsencrypt, opensearch) Security security-issue	1	215	May 22, 2024
Unable to update TLS certificates Security troubleshoot	4	458	May 9, 2024
Unable to configure newly generated SSL certificates on a 3 node opensearch cluster Security configure	3	612	April 20, 2022
How to set up certificates for OpenSearch on Kubernetes? Security	7	3368	January 4, 2023

Error with a Let's Encrypt cert

Related topics