Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2,5
Describe the issue:
I am using helm with a single custom node cert (for a 3-replica deployment) with demo certs disabled and get the following errors:
Transport client authentication no longer supported.
Demo certificates found (goes away if I set allow_unsafe_democertificates: false
but If I use true with custom cert paths I get the transport error above
My question is: How do I configure a multi-node helm production deployment (WITHOUT demo certs)? (your answer would address how to generate the certs, and the opensearch yaml config - thanks!)
A further question is: How do I fix the transport error below, generate a custom node cert and configure helm for a multi-node deployment?
Please note: The Configuring TLS Certificates doc appears to address multi-node clusters but not Kubernetes statefulsets (for these, we need a dynamic solution, not hard-configured certs as in the doc)
My config appears to be incorrect - see the error below:
Transport client authentication no longer supported
I am using helm to deploy to Kubernetes.
I want to replace the demo certificate with a custom one.
I set allow_unsafe_democertificates: true
# Ouch! See custom path below. How do I switch this off? It complains if true - demo certs found!
I set the mount path for my k8s secrets:
secretMounts:
- name: opensearch-tls
secretName: opensearch-tls
path: /usr/share/opensearch/config/certs
I have generated the same set of certs for each of the keys for the demo cert, which are correctly mounted in /usr/share/opensearch/config/certs
. In other words, I have the following config and I am able to list these within the running container, indicating that the certs are correctly mounted:
pemcert_filepath: certs/esnode.pem
pemkey_filepath: certs/esnode-key.pem
pemtrustedcas_filepath: certs/root-ca.pem
My cert looks like this:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
==> REDACTED <==
Signature Algorithm: ==> REDACTED <==
Issuer: C===> REDACTED <==, ST===> REDACTED <==, L===> REDACTED <==, O===> REDACTED <==, OU===> REDACTED <==, CN=opensearch-cluster-master.<MY NAMESPACE>.svc.cluster.local
Validity
Not Before: Sep 28 10:56:00 2024 GMT
Not After : Sep 28 10:56:00 2025 GMT
Subject: C===> REDACTED <==, ST===> REDACTED <==, L===> REDACTED <==, O===> REDACTED <==, OU===> REDACTED <==, CN=opensearch-cluster-master.<MY NAMESPACE>.svc.cluster.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
==> REDACTED <==
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:opensearch-cluster-master.<MY NAMESPACE>.svc.cluster.local, DNS:localhost, IP Address:127.0.0.1, Registered ID:1.2.3.4.5.7
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Key Identifier:
==> REDACTED <==
X509v3 Authority Key Identifier:
==> REDACTED <==
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
==> REDACTED <==
See Registered ID: it has been modified
See CN: It has been modified
I am using RID which should mean that I do not have to configure distinguished names (DNs)
The setup works fine with the demo certs enabled. It is with the above config that it fails.
Any ideas, please?
If the cert above is incorret, what is the correct way to generate a single-cert configutation (in a multi-node setup for Kubernetes) ?
Can you please advise (or show me the docs) on how I should configure certs for a production deployment on Kubernetes (using the helm chart here ?
Thanks!