Is opensearch-dashboard server certificate and key required to be reloaded everytime when GUI is accessed

I am using opensearch-dashboards 1.3.0 with Security enabled. As per our one of requirement, I have encrypted the certificates after the opensearch-dashboard service is up. However, On access GUI, I receive an error for the server key and certificate as they are in encrypted format it is not able to open them.
This use case was working fine with kibana 7.10 rpm.

Is there any difference in opensearch-dashboard about how GUI rendering is done as it is trying to load certificates every time which was not the case with kibana.
Thanks in advance

@Pratiksha Do you refer to ODFE 1.13.2 or ELK 7.10.2?

I am referring to ELK 7.10.2

@Pratiksha OpenSearch was built on the fork of 7.10.2 OSS and OSS was not exactly the same as basic ELK 7.10.2.

I’ll have a look on that anyway.
Could you describe your process step by step?

Thanks @pablo , I was referring to Elasticsearch OSS RPM 7.10.2 itself. I have provided server certificates and key at the time of installations, however once the service becomes up, the certificates and key get encrypted and the filename gets changed.
I suspect this change is introduced as part of this function:

Hello @Pratiksha, that new piece of code was added to pass your certs to the server when making the calling to check your assets related to custom branding. It shouldn’t be used anywhere else and if that fails then you will just not have access to custom branding logos and it will render the default OpenSearch Dashboards logos. Are you just getting error logs? But everything is rendering and acting normal? If so we can just create an error message that specific to this case.

Hi @kavilla, Everything is not rendering and working fine as GUI itself is not accessible, I am receiving “internal server error” as attached below.

Receiving below error in the logs, it is giving no such file found as after encryption the filename has changed.
{“log”:{“message”:“{ Error: ENOENT: no such file or directory, open ‘’\n at Object.openSync (fs.js:443:3)\n at readFileSync (fs.js:343:35)\n at readFile (/usr/share/opensearch-dashboards/src/core/server/http/ssl_config.js:181:31)\n at new SslConfig (/usr/share/opensearch-dashboards/src/core/server/http/ssl_config.js:131:18)\n at RenderingService.setupHttpAgent (/usr/share/opensearch-dashboards/src/core/server/rendering/rendering_service.js:248:25)\n at Object.render (/usr/share/opensearch-dashboards/src/core/server/rendering/rendering_service.js:175:14)\n at Object.renderAnonymousCoreApp (/usr/share/opensearch-dashboards/src/core/server/http_resources/http_resources_service.js:87:43)\n at coreSetup.http.resources.register (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/types/basic/routes.ts:52:25)\n at router.get (/usr/share/opensearch-dashboards/src/core/server/http_resources/http_resources_service.js:63:18)\n at /usr/share/opensearch-dashboards/src/core/utils/context.js:58:16\n at process._tickCallback (internal/process/next_tick.js:68:7)\n errno: -2,\n syscall: ‘open’,\n code: ‘ENOENT’,\n path: ‘’ }”},“extension”:{“type”:“log”,“tags”:[“error”,“http”],“pid”:122},“type”:“log”,“level”:“info”,“timezone”:“UTC”,“time”:“2022-03-30T05:09:01Z”}
{“log”:{“message”:“Internal Server Error”},“extension”:{“type”:“error”,“tags”:,“pid”:122,“level”:“error”,“error”:{“message”:“Internal Server Error”,“name”:“Error”,“stack”:“Error: Internal Server Error\n at HapiResponseAdapter.toInternalError (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:82:19)\n at Router.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:177:34)\n at process._tickCallback (internal/process/next_tick.js:68:7)”},“url”:{“protocol”:null,“slashes”:null,“auth”:null,“host”:null,“port”:null,“hostname”:null,“hash”:null,“search”:“?nextUrl=%2Fpratiksha123%2Fapp%2Fmanagement%2Fopensearch-dashboards%2FindexPatterns%3FbannerMessage%3DTo%2520visualize%2520and%2520explore%2520data%2520in%2520OpenSearch%2520Dashboards%2C%2520you%2520must%2520create%2520an%2520index%2520pattern%2520to%2520retrieve%2520data%2520from%2520OpenSearch.”,“query”:{“nextUrl”:“/pratiksha123/app/management/opensearch-dashboards/indexPatterns?bannerMessage=To%20visualize%20and%20explore%20data%20in%20OpenSearch%20Dashboards,%20you%20must%20create%20an%20index%20pattern%20to%20retrieve%20data%20from%20OpenSearch.”},“pathname”:“/app/login”,“path”:“/app/login?nextUrl=%2Fpratiksha123%2Fapp%2Fmanagement%2Fopensearch-dashboards%2FindexPatterns%3FbannerMessage%3DTo%2520visualize%2520and%2520explore%2520data%2520in%2520OpenSearch%2520Dashboards%2C%2520you%2520must%2520create%2520an%2520index%2520pattern%2520to%2520retrieve%2520data%2520from%2520OpenSearch.”,“href”:“/app/login?nextUrl=%2Fpratiksha123%2Fapp%2Fmanagement%2Fopensearch-dashboards%2FindexPatterns%3FbannerMessage%3DTo%2520visualize%2520and%2520explore%2520data%2520in%2520OpenSearch%2520Dashboards%2C%2520you%2520must%2520create%2520an%2520index%2520pattern%2520to%2520retrieve%2520data%2520from%2520OpenSearch.”}},“type”:“log”,“level”:“info”,“timezone”:“UTC”,“time”:“2022-03-30T05:09:01Z”}

Did you have a version of OpenSearch Dashboards working previously (for example 1.2)?

I have not tried this scenario with previous version.

Do you have the ability to check if this scenario works in 1.2? The rendering service SSL agent is not there in 1.2, I’m curious if the OpenSearch Security Dashboards plugin works fine or this code. Or maybe both.

Otherwise I can try to see if I can recreate this situation.

1 Like

Hi @kavilla ,

I verified the use case with v1.2 and it is working absolutely fine.

1 Like

I see, the SSL handshake between OpenSearch Dashboards and OpenSearch Security does not need to happen everytime since this at a service level. However, the new piece of code is establishing the handshake between the browser and the server and see it’s in the rendering service it will be required everytime you refresh the browser.

I’m not positive what’s the best behavior, definitely not file not found error but I think possibly just fail and do the default rendering? What do you think?

Sorry this happened, I believe we are attempting to do a 1.3.1 release for OpenSearch Dashboards perhaps I can get that in.

1 Like

Hi @kavilla

Can you please share when can version 1.3.1 be released. I hope it includes the changes that it will initially check if custom branding is enabled and then check for further steps.

Hi @kavilla
I am facing the same issue described here. Is there a plan to release opensearch-dashboards 1.3.1 with this fix? And when is the 1.3.1 version expected to be released? We see opensearch-1.3.1 is already released.

Hello @Pratiksha and @shivana,

OpenSearch Dashboards 1.3.1 is released! This issue should be addressed but please let me know if you continue to see errors.

1 Like

Thanks for the response. Yes this issue is no longer seen with v1.3.1.