How to configure Let's encrypt ssl certificate for OpenSearch Dashboard and for data prepper?

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.9.0

Describe the issue:
I have generated Let’s encrypt ssl certificate using http challenge and configured as below:

server.ssl.certificate: /etc/letsencrypt/live/opensearch.example.com/cert.pem
server.ssl.key: /etc/letsencrypt/live/opensearch.example.com/privkey.pem
opensearch.ssl.certificateAuthorities: [ "/etc/letsencrypt/live/opensearch.example.com/fullchain.pem" ]

But I am not able to browse OpenSearch Dashboard after configuring above certificates and restarting OSD. I am getting connection refused on opensearch.example.com:5601. What could be the reason for the issue? I don’t see any issue on the opensearch log. Can I use the above certificate for dataprepper sink for OpenSearch?

Thanks in advance.

2

Hi @rmstmg

Could you please share your opensearch_dashboards.yml , opensearch.yml and data-prepper-config.yaml files?

3

Hello @Eugene7 , Please find the config details as below:

opensearch.yml:

path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
network.host: 0.0.0.0
discovery.type: single-node

plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/node1.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/node1.pem
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - 'CN=opensearch.example.com,OU=IT,O=Example Ltd.,L=London,C=UK'
plugins.security.nodes_dn:
  - 'CN=opensearch.example.com,OU=IT,O=Example Ltd.,L=London,C=UK'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]



opensearch-dashboard.yml:

---
server.host: "0.0.0.0"
server.maxPayloadBytes: 104857600
opensearch.requestTimeout: 30000
opensearch.hosts: [https://<serveripaddress>:9200]
opensearch.ssl.verificationMode: none
opensearch.username: admin
opensearch.password: password here
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
server.ssl.enabled: true
server.ssl.certificate: /etc/letsencrypt/live/opensearch.example.com/cert.pem
server.ssl.key: /etc/letsencrypt/live/opensearch.example.com/privkey.pem
opensearch.ssl.certificateAuthorities: [ "/etc/letsencrypt/live/opensearch.example.com/fullchain.pem" ]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
opensearch_security.cookie.secure: false


dataprepper-config.yml:

log-pipeline:
  source:
    http:
      ssl: false
      
  sink:
    - opensearch:
        hosts: [ "https://opensearch.example.com:9200" ]
        insecure: true
        username: admin
        password: password
        index: my-logs-%{yyyy.MM.dd}

Your help is highly appreciated. Thanks.

4

Can you connect to the OpenSearch node with a curl command ? Are the node certificates for http and transport self-signed or from Let’s encrypt?