Is it possible to set multiple root CA in a single file?

10000-ki · April 29, 2024, 9:25am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

v2.13.0

Describe the issue:

I’m using a private certificate (self-signed) and I want to register the root CA information to provide trusted certificate authority information.

-----BEGIN CERTIFICATE-----
${cert1}
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
${cert2}
-----END CERTIFICATE-----

However, if i register a root ca file in the form of a chain as shown above,
root ca file information in the opensearch dashboards does not seem to be parsed properly.

Related errors

{“type”:“log”,“@timestamp”:“2024-04-26T18:08:42+09:00”,“tags”:[“error”,“opensearch”,“data”],“pid”:1,“message”:"[ConnectionError]: write EPROTO 140597421410240:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:. ./deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n”}

Is there any additional options I should give?

Configuration:

opensearch.ssl.certificateAuthorities: [ "/apps/opensearch-dashboards/config/certificates/rootca.crt" ]

Relevant Logs or Screenshots:

10000-ki · April 30, 2024, 6:57am

If i try to use the jks form of file
the following error occurs
FATAL Error: Only 8, 16, 24, or 32 bits supported:

10000-ki · April 30, 2024, 7:47am

opensearch had no particular issues registering multiple rootCAs with the above settings: plugins.security.ssl.transport.pemtrustedcas_filepath

pablo · May 1, 2024, 12:01pm

@10000-ki Does your issue relate to OpenSearch or OpenSearch Dashboards?

10000-ki · May 1, 2024, 12:57pm

@pablo

dashboards.

I applied https to opensearch via a private certificate (self signed)

dashboards -> https -> opensearch

As shown in the guide above
opensearch.ssl.certificateAuthorities
setting in the guide above to register CA information

but

-----BEGIN CERTIFICATE-----
${cert1}
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
${cert2}
-----END CERTIFICATE-----

If i have multiple CAs listed as above
it doesn’t seem to recognize it properly.
It is probably failing on the node.js side, which is the dashbaords server.

10000-ki · May 1, 2024, 1:01pm

@pablo

However

opensearch.ssl.certificateAuthorities: [ “/apps/opensearch-dashboards/config/certificates/ca1.crt”, “/apps/opensearch-dashboards/config/certificates/ca2.crt” ]

If i divide the rootCA information into 2 files like above, it works fine.

What I want is

I want the dashboards server to properly recognize multiple CAs in a single file.

pablo · May 1, 2024, 9:06pm

@10000-ki As per documentation, this option expects an array instead of a single file. It won’t recognize concatenated certificates in a single file.

plugins.security.ssl.transport.pemtrustedcas_filepath expects a single value instead of an array and reads concatenated certificates.

10000-ki · May 2, 2024, 1:59am

@pablo i see

plugins.security.ssl.transport.pemtrustedcas_filepath This setting doesn’t seem to exist in dashboards.
Do i have a dashboards should use a setting like opensearch.ssl.truststore.path?

pablo · May 2, 2024, 9:20am

@10000-ki Could you share content of your opensearch.yml and opensearch_dashboards.yml?

10000-ki · May 7, 2024, 1:41pm

I solved it by splitting the ca file into n pieces
this issue can be closed

Topic		Replies	Views
Dual Root CA Configuration: Distinguishing Transport-Layer and REST-Layer Communications Security	6	206	October 9, 2023
Getting "unable to verify the first certificate" error from OpenSearch Dashboards in k8s Security	6	5720	December 14, 2021
Issue with Configuring Dashboards Sign-In for Multiple Authentication Options OpenSearch Dashboards	4	354	April 6, 2023
SSL integration for OpenSearch dashboard Security troubleshoot	1	1359	March 21, 2022
Configure remote search with differing CAs Security	7	423	April 25, 2023

Is it possible to set multiple root CA in a single file?

Related Topics