Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.12
Describe the issue:
I am attempting to issue certificates for http/REST primarily (although I’m also experimenting with transport without any luck either) from our internal Windows CA, and having issues. The template allows for Client Auth, and Server Auth. The key is RSA 2048 with SHA256. The DN matches what’s configured with plugins.security.nodes_dn
When I start OpenSearch, it immediately fails with the logs copied below.
Redacted output of openssl x509 -noout -text -in osc01n01-signed.pem:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7f:00:00:05:31:27:71:43:7c:f1:93:12:eb:00:00:00:00:05:31
Signature Algorithm: sha256WithRSAEncryption
Issuer: {INTERMEDIATE CA}
Validity
Not Before: Feb 23 14:45:55 2024 GMT
Not After : Nov 1 14:16:32 2026 GMT
Subject: {MATCHES plugins.security.nodes_dn} Subject Public Key Info: Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
{REMOVED}
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.7:
0/.'+.....7...../...........[...n.........>..d...
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.10:
0.0
..+.......0
..+.......
X509v3 Subject Key Identifier:
98:CA:8D:F6:E9:B7:93:E2:1E:EF:F7:14:B2:08:C6:DC:17:D7:D7:40
X509v3 Subject Alternative Name:
DNS:{SAME DNS NAME}
X509v3 Authority Key Identifier:
60:14:10:15:08:BF:FE:9D:FB:AE:94:FB:25:7C:58:9E:92:18:BD:9C
X509v3 CRL Distribution Points:
Full Name:
URI:ldap:///{LDAP PATH}?certificateRevocationList?base?objectClass=cRLDistributionPoint
URI:http://{WEB PATH}
URI:http://{WEB PATH}
Authority Information Access:
CA Issuers - URI:ldap:///{LDAP PATH}
CA Issuers - URI:http://{WEB PATH}
Signature Algorithm: sha256WithRSAEncryption
COMBINED-CA-SELFSIGNED.pem was created by combining the intermediate, root, and the original self-signed CA’s pem files same as what was done on this thread.
I’ve also tried this though with just the intermediate ca, the root ca, and just the intermediate and root ca’s. No luck with any of them.
Configuration:
opensearch.yml snippet containing the certificate information
plugins.security.ssl.transport.enforce_hostname_verification: true
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/osc01n01-signed.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/osc01n01-signed-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/COMBINED-CA-SELFSIGNED.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/osc01n01-signed.pem
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/osc01n01-signed-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/COMBINED-CA-SELFSIGNED.pem
Relevant Logs or Screenshots:
java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
Caused by: java.lang.reflect.InvocationTargetException
Caused by: org.opensearch.OpenSearchSecurityException: Error while initializing transport SSL layer from PEM: javax.net.ssl.SSLException: failed to initialize the server-side SSL context
Caused by: javax.net.ssl.SSLException: failed to initialize the server-side SSL context
Caused by: java.security.KeyStoreException: Certificate chain is not valid
I appreciate your help on this!