How to change default user passwords in Docker container?

Gijs · May 2, 2024, 11:39am

I’m using OpenSearch 2.13 in a docker container.
When I mount the file, the changes are not automatically applied:
/internal_users.yml:/usr/share/opensearch/config/opensearch-security/internal_users.yml

I’ve also tried making the changes through the Dashboard, but after docker compose down / up. The changes are lost.

I figured we need to run the securityadmin.sh file inside the container:

/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -icl -nhnv -cert /usr/share/opensearch/config/admin-cert.pem -cacert /usr/share/opensearch/config/root-ca.pem -key /usr/share/opensearch/config/admin-key.pem -cd /usr/share/opensearch/plugins/opensearch-security/securityconfig/

However this results in the following error:

Will connect to localhost:9200 … done
ERR: An unexpected SSLHandshakeException occured: Received fatal alert: certificate_unknown

I’m a bit at a loss as to the latest error. I’ve created an admin certificate as per the documentation

The only difference is that we use our internal CA to sign the admin certificate, and used a normal webserver template for this. I’m also not sure as to the attributes (CN, and email) to assign to this certificate.

In the OpenSearch.yml we have configured:
plugins.security.authcz.admin_dn:

‘EMAILADDRESS=support@company.com,CN=opensearch1.company.local,OU=IT,O=company.,L=City,ST=State,C=Country’

I’ve also tried it without the emailadres in the plugin config, but this didn’t make any difference.

Any suggestions as to what I’m doing wrong?
The process to setup OpenSearch is quite complicated, it seems like this could be done in a much easier fashion.

Mantas · May 2, 2024, 11:45am

The admin certificate has to be signed with the same root-ca as node certificates or the admin’s root-ca must be concatenated with already existing CA( in “plugins.security.ssl.http.pemtrustedcas_filepath”), is this the case?

Best,
mj

Mantas · May 2, 2024, 11:48am

You can check with the below:

openssl x509 -noout -subject -in <admin-cert>.pem

best,
mj

Gijs · May 6, 2024, 2:14pm

We’ve configured the CA file, with “plugins.security.ssl.http.pemtrustedcas_filepath”.
Note: The CA file is a concat file, containing the public key’s of both the intermediate CA and root CA.
We’ve also tried with just the intermediate CA, which was used to sign the certs.

I’m not sure if the node-certificates are being used, or working correctly. Is this required for the securityadmin.sh script?

I’ve double checked the attributes as per your last message, and made sure they are identical in the config file.

Mantas · May 8, 2024, 9:03am

Hi @Gijs,

The above looks correct, would you mind sharing your opensearch.yml (please blank all sensitive information), and the commands used to generate certificates?

Thanks,
mj

Gijs · May 14, 2024, 3:44pm

Certainly, these where:

sudo openssl genrsa -out admin-key-temp.pem 2048

sudo openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

sudo openssl req -new -key admin-key.pem -out admin.csr

The csr was then used to make a signed certificate, by using our Windows CA. The command used was:

certreq -attrib "CertificateTemplate:WebServer"

Topic		Replies	Views
Path to internal_users.yml change admin password Security troubleshoot , configure	9	1564	June 17, 2022
Change password in OpenSearch 2.x and docker Security	1	1102	May 31, 2022
Set simple password Security configure	3	452	July 22, 2022
How to Change Admin Password in Docker-Run OpenSearch v2.12.0? Security install	1	229	February 23, 2024
How to setup security on containerised opensearch? Security configure	3	1027	February 2, 2024

How to change default user passwords in Docker container?

Related Topics