Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
v2.13.0
Describe the issue :
I’m using a private certificate (self-signed) and I want to register the root CA information to provide trusted certificate authority information.
-----BEGIN CERTIFICATE-----
${cert1}
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
${cert2}
-----END CERTIFICATE-----
However, if i register a root ca file in the form of a chain as shown above,
root ca file information in the opensearch dashboards does not seem to be parsed properly.
Related errors
{“type”:“log”,“@timestamp”:“2024-04-26T18:08:42+09:00”,“tags”:[“error”,“opensearch”,“data”],“pid”:1,“message”:"[ConnectionError]: write EPROTO 140597421410240:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:. ./deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n”}
Is there any additional options I should give?
Configuration :
opensearch.ssl.certificateAuthorities: [ "/apps/opensearch-dashboards/config/certificates/rootca.crt" ]
Relevant Logs or Screenshots :
If i try to use the jks form of file
the following error occurs
FATAL Error: Only 8, 16, 24, or 32 bits supported:
opensearch had no particular issues registering multiple rootCAs with the above settings: plugins.security.ssl.transport.pemtrustedcas_filepath
pablo
May 1, 2024, 12:01pm
4
@10000-ki Does your issue relate to OpenSearch or OpenSearch Dashboards?
@pablo
dashboards.
I applied https
to opensearch via a private certificate (self signed)
dashboards -> https -> opensearch
As shown in the guide above
opensearch.ssl.certificateAuthorities
setting in the guide above to register CA information
but
-----BEGIN CERTIFICATE-----
${cert1}
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
${cert2}
-----END CERTIFICATE-----
If i have multiple CAs listed as above
it doesn’t seem to recognize it properly.
It is probably failing on the node.js side, which is the dashbaords server.
@pablo
However
opensearch.ssl.certificateAuthorities: [ “/apps/opensearch-dashboards/config/certificates/ca1.crt”, “/apps/opensearch-dashboards/config/certificates/ca2.crt” ]
If i divide the rootCA information into 2 files like above, it works fine.
What I want is
I want the dashboards server to properly recognize multiple CAs in a single file.
pablo
May 1, 2024, 9:06pm
7
@10000-ki As per documentation, this option expects an array instead of a single file. It won’t recognize concatenated certificates in a single file.
plugins.security.ssl.transport.pemtrustedcas_filepath
expects a single value instead of an array and reads concatenated certificates.
pablo:
As per documentation, this option expects an array instead of a single file. It won’t recognize concatenated certificates in a single file.
plugins.security.ssl.transport.pemtrustedcas_filepath
expects a single value instead of an array and reads concatenated certificates.
@pablo i see
plugins.security.ssl.transport.pemtrustedcas_filepath
This setting doesn’t seem to exist in dashboards.
Do i have a dashboards should use a setting like opensearch.ssl.truststore.path
?
pablo
May 2, 2024, 9:20am
9
@10000-ki Could you share content of your opensearch.yml and opensearch_dashboards.yml?
I solved it by splitting the ca file into n pieces
this issue can be closed