Issue with hot-reloading certificates on Windows

Mantas · July 12, 2023, 9:50am

**On behalf of a user of Slack **

"I have installed OpenSearch v2.8.0 on Windows and was successfully able to use securityadmin.bat and my admin cert/key to configure my internal users. I needed a way to hot-reload the certificates which apparently can only be done using REST and auth with admin cert:

PowerShell’s Invoke-WebRequest and a PFX generated from the admin PEMs didn’t work.

Windows’ curl.exe seems to be incapable to doing cert auth and didn’t work.

curl for Windows also didn’t work with alert certificate unknown.

Question:

Is there any way to authenticate with admin certs on Windows?

Is there any other way to hot-reload the certs, perhaps using securityadmin.bat or even a periodical auto-reload like ES has?"

Mantas · July 12, 2023, 11:07am

Hi Miki,

Do you have plugins.security.ssl_cert_reload_enabled set to true in your opensearch.yml ?

plugins.security.ssl_cert_reload_enabled: true

Could you please confirm if the certificates were issued by the same issuer and subject DN and SAN (as per API - OpenSearch documentation)?

Moreover, please provide me with the curl command you are using.

Thanks,
Mantas

peternied · July 14, 2023, 10:11pm

There is also an issue on GitHub that proposes a work around so the admin cert isn’t needed.

github.com/opensearch-project/security

Unable to `reloadcerts` on Windows

opened 09:21PM - 10 Jul 23 UTC

AMoo-Miki

enhancement

OpenSearch 2.8.0 is installed on Windows and, root, node and admin certs/keys ar…e created, and the root cert and admin cert/key are successfully used with `securityadmin.bat` to load configurations like `internalusers.yml`. According to docs, hot-loading of certificates is possible by performing a `PUT` on `_opendistro/_security/api/ssl/transport/reloadcerts`. While undocumented, this is only possible when authenticating with the admin cert. There are 3 curl options on Windows: 1. PowerShell's (v7.x) `Invoke-WebRequest` and its siblings who required a PFX cert. I created one with my admin cert and key but the request failed to auth. 2. Windows' built-in `curl.exe` simply doesn't support certificate-based authentication. 3. [curl for Windows](https://curl.se/windows/) which failed with `alert certificate unknown` indicating it failed as well. Questions: 1. Is there any way to authenticate with admin certs on Windows? 2. Is there any other way to hot-reload the certs, perhaps using securityadmin.bat, or even a periodical auto-reload like the one ES offers?

Topic		Replies	Views
Can't reload SSL certs via API Security	5	803	August 1, 2023
Certificate reloading? Security	3	1891	September 14, 2022
Admin certificates not working properly? Security	4	700	December 1, 2021
Exception when reloading self signed certs via REST API Security troubleshoot	2	111	June 21, 2024
SSL cert hot reload (for PEM files) - v 1.6.0 Security	1	1434	May 6, 2020

Issue with hot-reloading certificates on Windows

Related topics