Failing with read permission on certificates

I’m working with: (OpenSearch 2.11.1 / FreeBSD 14.0-RELEASE-p3 / Safari 17.2.1

I can’t get OpenSearch to keep running. It starts, but complains about certs. I’m hoping someone can point to a simple configuration which works. The docs are great about explaining what a given item is for, but simple working examples are missing.

My configuration is:

[root@graylog /usr/local/etc/opensearch]# grep -v '^#' opensearch.yml
cluster.name: graylog
node.name: graylog-1
path.data: /var/db/opensearch
path.logs: /var/log/opensearch
network.host: 127.55.0.78
discovery.seed_hosts: ["127.55.0.78"]
cluster.initial_cluster_manager_nodes: ["graylog-1"]

plugins.security.ssl.transport.pemcert_filepath:        cert.pem
plugins.security.ssl.transport.server.pemcert_filepath: /usr/local/etc/ssl/graylog.int.unixathome.org.crt
plugins.security.ssl.transport.client.pemcert_filepath: /usr/local/etc/ssl/graylog.int.unixathome.org.crt

plugins.security.ssl.transport.pemkey_filepath:         /usr/local/etc/ssl/graylog.int.unixathome.org.key

The main error message, as found below, is:

That error is interesting. Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/usr/local/etc/ssl/graylog.int.unixathome.org.key" "read")

Which confuses me, because I’ve made it it shocking readable (for diagnosing this problem). Can you see any read issue here?

If you have a working configuration for certificates which allows OpenSearch to just run, I can expand it from there. So far, this has been a few hours of searching, trying, and failing.

Thank you.

[root@graylog ~]# ls -l /usr/local/etc/ssl/graylog.int.unixathome.org.key
-r--r--r--  1 opensearch opensearch 3244 Jan 21 13:32 /usr/local/etc/ssl/graylog.int.unixathome.org.key
[root@graylog ~]# ls -ld /usr/local/etc/ssl
drwxr-xr-x  2 root wheel 8 Jan 21 13:32 /usr/local/etc/ssl
[root@graylog ~]# ls -ld /usr/local/etc
drwxr-xr-x  18 root wheel 38 Jan 20 22:21 /usr/local/etc
[root@graylog ~]# ls -ld /usr/local
drwxr-xr-x  14 root wheel 14 Jan 20 21:31 /usr/local
[root@graylog ~]# ls -ld /usr
drwxr-xr-x  15 root wheel 15 Jan 20 20:24 /usr
[root@graylog ~]#

It makes me wonder if the issue is actually something else and not a read issue.

More logs:

[2024-01-21T20:15:58,149][INFO ][o.o.n.Node               ] [graylog-1] version[2.11.1], pid[19412], build[tar/6b1986e964d440be9137eba1413015c31c5a7752/2023-11-29T21:43:10.135035992Z], OS[FreeBSD/14.0-RELEASE-p3/amd64], JVM[OpenJDK BSD Porting Team/OpenJDK 64-Bit Server VM/17.0.9/17.0.9+9-1]
[2024-01-21T20:15:58,152][INFO ][o.o.n.Node               ] [graylog-1] JVM home [/usr/local/openjdk17], using bundled JDK/JRE [false]
[2024-01-21T20:15:58,152][INFO ][o.o.n.Node               ] [graylog-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1g, -Xmx1g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-9333907957803551447, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/tmp/opensearch-9333907957803551447/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.util.concurrent.ForkJoinPool.common.threadFactory=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory, -XX:MaxDirectMemorySize=536870912, -Dopensearch.path.home=/usr/local/lib/opensearch, -Dopensearch.path.conf=/usr/local/etc/opensearch, -Dopensearch.distribution.type=tar, -Dopensearch.bundled_jdk=true]
[2024-01-21T20:15:59,629][INFO ][o.o.s.s.t.SSLConfig      ] [graylog-1] SSL dual mode is disabled
[2024-01-21T20:15:59,630][INFO ][o.o.s.OpenSearchSecurityPlugin] [graylog-1] OpenSearch Config path is /usr/local/etc/opensearch
[2024-01-21T20:15:59,864][INFO ][o.o.s.s.DefaultSecurityKeyStore] [graylog-1] JVM supports TLSv1.3
[2024-01-21T20:15:59,866][INFO ][o.o.s.s.DefaultSecurityKeyStore] [graylog-1] Config directory is /usr/local/etc/opensearch/, from there the key- and truststore files are resolved relatively
[2024-01-21T20:15:59,875][ERROR][o.o.b.Bootstrap          ] [graylog-1] Exception
java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
	at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:791) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:731) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.plugins.PluginsService.<init>(PluginsService.java:195) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.node.Node.<init>(Node.java:480) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.node.Node.<init>(Node.java:407) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) [opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180) [opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171) [opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) [opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) [opensearch-cli-2.11.1.jar:2.11.1]
	at org.opensearch.cli.Command.main(Command.java:101) [opensearch-cli-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137) [opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103) [opensearch-2.11.1.jar:2.11.1]
Caused by: java.lang.reflect.InvocationTargetException
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77) ~[?:?]
	at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:480) ~[?:?]
	at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:782) ~[opensearch-2.11.1.jar:2.11.1]
	... 15 more
Caused by: org.opensearch.OpenSearchSecurityException: Error while initializing transport SSL layer from PEM: java.security.AccessControlException: access denied ("java.io.FilePermission" "/usr/local/etc/ssl/graylog.int.unixathome.org.key" "read")
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.initTransportSSLConfig(DefaultSecurityKeyStore.java:482) ~[?:?]
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.initSSLConfig(DefaultSecurityKeyStore.java:296) ~[?:?]
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.<init>(DefaultSecurityKeyStore.java:202) ~[?:?]
	at org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin.<init>(OpenSearchSecuritySSLPlugin.java:234) ~[?:?]
	at org.opensearch.security.OpenSearchSecurityPlugin.<init>(OpenSearchSecurityPlugin.java:277) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77) ~[?:?]
	at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:480) ~[?:?]
	at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:782) ~[opensearch-2.11.1.jar:2.11.1]
	... 15 more
Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/usr/local/etc/ssl/graylog.int.unixathome.org.key" "read")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:485) ~[?:?]
	at java.security.AccessController.checkPermission(AccessController.java:1068) ~[?:?]
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:416) ~[?:?]
	at java.lang.SecurityManager.checkRead(SecurityManager.java:756) ~[?:?]
	at sun.nio.fs.UnixPath.checkRead(UnixPath.java:780) ~[?:?]
	at sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:49) ~[?:?]
	at sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:148) ~[?:?]
	at java.nio.file.Files.readAttributes(Files.java:1851) ~[?:?]
	at java.nio.file.Files.isDirectory(Files.java:2322) ~[?:?]
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.checkPath(DefaultSecurityKeyStore.java:1124) ~[?:?]
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.resolve(DefaultSecurityKeyStore.java:274) ~[?:?]
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.initTransportSSLConfig(DefaultSecurityKeyStore.java:453) ~[?:?]
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.initSSLConfig(DefaultSecurityKeyStore.java:296) ~[?:?]
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.<init>(DefaultSecurityKeyStore.java:202) ~[?:?]
	at org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin.<init>(OpenSearchSecuritySSLPlugin.java:234) ~[?:?]
	at org.opensearch.security.OpenSearchSecurityPlugin.<init>(OpenSearchSecurityPlugin.java:277) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77) ~[?:?]
	at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:480) ~[?:?]
	at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:782) ~[opensearch-2.11.1.jar:2.11.1]
	... 15 more
[2024-01-21T20:15:59,883][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [graylog-1] uncaught exception in thread [main]
org.opensearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
	at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:184) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) ~[opensearch-cli-2.11.1.jar:2.11.1]
	at org.opensearch.cli.Command.main(Command.java:101) ~[opensearch-cli-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103) ~[opensearch-2.11.1.jar:2.11.1]
Caused by: java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
	at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:791) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:731) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.plugins.PluginsService.<init>(PluginsService.java:195) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.node.Node.<init>(Node.java:480) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.node.Node.<init>(Node.java:407) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180) ~[opensearch-2.11.1.jar:2.11.1]
	... 6 more
Caused by: java.lang.reflect.InvocationTargetException
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77) ~[?:?]
	at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:480) ~[?:?]
	at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:782) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:731) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.plugins.PluginsService.<init>(PluginsService.java:195) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.node.Node.<init>(Node.java:480) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.node.Node.<init>(Node.java:407) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180) ~[opensearch-2.11.1.jar:2.11.1]
	... 6 more
Caused by: org.opensearch.OpenSearchSecurityException: Error while initializing transport SSL layer from PEM: java.security.AccessControlException: access denied ("java.io.FilePermission" "/usr/local/etc/ssl/graylog.int.unixathome.org.key" "read")
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.initTransportSSLConfig(DefaultSecurityKeyStore.java:482) ~[?:?]
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.initSSLConfig(DefaultSecurityKeyStore.java:296) ~[?:?]
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.<init>(DefaultSecurityKeyStore.java:202) ~[?:?]
	at org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin.<init>(OpenSearchSecuritySSLPlugin.java:234) ~[?:?]
	at org.opensearch.security.OpenSearchSecurityPlugin.<init>(OpenSearchSecurityPlugin.java:277) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77) ~[?:?]
	at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:480) ~[?:?]
	at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:782) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:731) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.plugins.PluginsService.<init>(PluginsService.java:195) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.node.Node.<init>(Node.java:480) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.node.Node.<init>(Node.java:407) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180) ~[opensearch-2.11.1.jar:2.11.1]
	... 6 more
Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/usr/local/etc/ssl/graylog.int.unixathome.org.key" "read")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:485) ~[?:?]
	at java.security.AccessController.checkPermission(AccessController.java:1068) ~[?:?]
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:416) ~[?:?]
	at java.lang.SecurityManager.checkRead(SecurityManager.java:756) ~[?:?]
	at sun.nio.fs.UnixPath.checkRead(UnixPath.java:780) ~[?:?]
	at sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:49) ~[?:?]
	at sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:148) ~[?:?]
	at java.nio.file.Files.readAttributes(Files.java:1851) ~[?:?]
	at java.nio.file.Files.isDirectory(Files.java:2322) ~[?:?]
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.checkPath(DefaultSecurityKeyStore.java:1124) ~[?:?]
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.resolve(DefaultSecurityKeyStore.java:274) ~[?:?]
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.initTransportSSLConfig(DefaultSecurityKeyStore.java:453) ~[?:?]
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.initSSLConfig(DefaultSecurityKeyStore.java:296) ~[?:?]
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.<init>(DefaultSecurityKeyStore.java:202) ~[?:?]
	at org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin.<init>(OpenSearchSecuritySSLPlugin.java:234) ~[?:?]
	at org.opensearch.security.OpenSearchSecurityPlugin.<init>(OpenSearchSecurityPlugin.java:277) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77) ~[?:?]
	at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:480) ~[?:?]
	at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:782) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:731) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.plugins.PluginsService.<init>(PluginsService.java:195) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.node.Node.<init>(Node.java:480) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.node.Node.<init>(Node.java:407) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-2.11.1.jar:2.11.1]
	at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180) ~[opensearch-2.11.1.jar:2.11.1]
	... 6 more

Hi @dvl,

According to the docs here: TLS certificates - OpenSearch documentation your plugins.security.ssl.transport.pemkey_filepath: " must be under the config directory":

/usr/local/etc/opensearch/config

Best,
mj