I’m using OpenSearch 2.13 in a docker container.
When I mount the file, the changes are not automatically applied: /internal_users.yml:/usr/share/opensearch/config/opensearch-security/internal_users.yml
I’ve also tried making the changes through the Dashboard, but after docker compose down / up. The changes are lost.
I figured we need to run the securityadmin.sh file inside the container:
Will connect to localhost:9200 … done
ERR: An unexpected SSLHandshakeException occured: Received fatal alert: certificate_unknown
I’m a bit at a loss as to the latest error. I’ve created an admin certificate as per the documentation
The only difference is that we use our internal CA to sign the admin certificate, and used a normal webserver template for this. I’m also not sure as to the attributes (CN, and email) to assign to this certificate.
In the OpenSearch.yml we have configured:
plugins.security.authcz.admin_dn:
I’ve also tried it without the emailadres in the plugin config, but this didn’t make any difference.
Any suggestions as to what I’m doing wrong?
The process to setup OpenSearch is quite complicated, it seems like this could be done in a much easier fashion.
The admin certificate has to be signed with the same root-ca as node certificates or the admin’s root-ca must be concatenated with already existing CA( in “plugins.security.ssl.http.pemtrustedcas_filepath”), is this the case?
We’ve configured the CA file, with “plugins.security.ssl.http.pemtrustedcas_filepath”.
Note: The CA file is a concat file, containing the public key’s of both the intermediate CA and root CA.
We’ve also tried with just the intermediate CA, which was used to sign the certs.
I’m not sure if the node-certificates are being used, or working correctly. Is this required for the securityadmin.sh script?
I’ve double checked the attributes as per your last message, and made sure they are identical in the config file.
The above looks correct, would you mind sharing your opensearch.yml (please blank all sensitive information), and the commands used to generate certificates?