How to change default user passwords in Docker container?

I’m using OpenSearch 2.13 in a docker container.
When I mount the file, the changes are not automatically applied:

I’ve also tried making the changes through the Dashboard, but after docker compose down / up. The changes are lost.

I figured we need to run the file inside the container:

/usr/share/opensearch/plugins/opensearch-security/tools/ -icl -nhnv -cert /usr/share/opensearch/config/admin-cert.pem -cacert /usr/share/opensearch/config/root-ca.pem -key /usr/share/opensearch/config/admin-key.pem -cd /usr/share/opensearch/plugins/opensearch-security/securityconfig/

However this results in the following error:

Will connect to localhost:9200 … done
ERR: An unexpected SSLHandshakeException occured: Received fatal alert: certificate_unknown

I’m a bit at a loss as to the latest error. I’ve created an admin certificate as per the documentation

The only difference is that we use our internal CA to sign the admin certificate, and used a normal webserver template for this. I’m also not sure as to the attributes (CN, and email) to assign to this certificate.

In the OpenSearch.yml we have configured:

  • ‘,,OU=IT,O=company.,L=City,ST=State,C=Country’

I’ve also tried it without the emailadres in the plugin config, but this didn’t make any difference.

Any suggestions as to what I’m doing wrong?
The process to setup OpenSearch is quite complicated, it seems like this could be done in a much easier fashion.

The admin certificate has to be signed with the same root-ca as node certificates or the admin’s root-ca must be concatenated with already existing CA( in “”), is this the case?


You can check with the below:

openssl x509 -noout -subject -in <admin-cert>.pem


We’ve configured the CA file, with “”.
Note: The CA file is a concat file, containing the public key’s of both the intermediate CA and root CA.
We’ve also tried with just the intermediate CA, which was used to sign the certs.

I’m not sure if the node-certificates are being used, or working correctly. Is this required for the script?

I’ve double checked the attributes as per your last message, and made sure they are identical in the config file.

Hi @Gijs,

The above looks correct, would you mind sharing your opensearch.yml (please blank all sensitive information), and the commands used to generate certificates?


Certainly, these where:

sudo openssl genrsa -out admin-key-temp.pem 2048

sudo openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

sudo openssl req -new -key admin-key.pem -out admin.csr

The csr was then used to make a signed certificate, by using our Windows CA. The command used was:

certreq -attrib "CertificateTemplate:WebServer"