New certificates should not expire before the current ones

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Opensearch-security 2.9.0

Describe the issue:

Opensearch throws the below exception, when reloading new certificates with existing emergency certificates has longer expiration dates.

PUT /_opendistro/_security/api/ssl/transport/reloadcerts

{“error”:“OpenSearchSecurityException[Error while initializing transport SSL layer from PEM: java.lang.Exception: New certificates should not expire before the current ones.]; nested: Exception[New certificates should not expire before the current ones.];”

Configuration:

accesscontrol is enabled

http:
anonymous_auth_enabled: true

1.Reload of new certificates are failed.
2.Since OpenSearch is not available,
“message”: “[logstash.outputs.opensearch] Attempted to resurrect connection to dead OpenSearch instance, but got an error {:url=>‘https://service-tls:port/’, :exception=>LogStash::Outputs::OpenSearch::HttpClient::Pool::BadResponseCodeError, :message=>‘Got response code ‘503’ contacting OpenSearch at URL ‘https://service-tls:port/’’}”}

After multiple retries only it was able to restore the connection
“[logstash.outputs.opensearch] Restored connection to OpenSearch instance {:url=>‘https://service-tls:port/’}”}

Kindly provide a workaround/solution to proceed further.

2

Hi @Maha,

Have you tired with: PUT /_plugins/_security/api/ssl/transport/reloadcerts

Please see more here: API - OpenSearch Documentation

Best,
mj

3

Hi @Mantas ,

I tried this plugin Api, still I get the same New certificate Exception.

Thanks/Maha

4

Hi @Maha,

Could you share the output of the below for both your “emergency” and “new” cert:
NOTE: please mask any sensitive data.

openssl x509 -in <certificate.pem> -enddate -startdate -noout

Thanks,
mj

5

Hi @Mantas ,

Active cert time refers to old certificate and the Available cert time refers to new certificates to be reloaded.

"Active cert time: "notBefore=Feb 29 05:49:39 2024 GMT; notAfter=Aug 29 20:55:09 2024 GMT", Available cert time: "notBefore=Feb 29 05:53:39 2024 GMT; notAfter=Feb 29 05:59:09 2024 GMT"

STATUS=$(/bin/ PUT “/_plugins/_security/api/ssl/transport/reloadcerts” 2>&1)
echo $STATUS
{“error”:“OpenSearchSecurityException[Error while initializing transport SSL layer from PEM: java.lang.Exception: New certificates should not expire before the current ones.]; nested: Exception[New certificates should not expire before the current ones.];”}

Thanks,
Maha

6

Hi @Maha,

Is it correct that your new (“Available”) certificate is only valid for less than 6 minutes?

Best,
mj

7

Hi @Mantas,

Yes it’s correct. I have customised it to check certificate expiry for testing purpose.

Thanks/Maha

8

have you tried uploading certificates to your config, updating your config yml files and doing a full cluster reboot?

best,
mj

9

Hi @Mantas ,

Node restart will reload new certificates. But restart solution is not acceptable since it affects other services leads to traffic/data loss with restart counts.

Thanks/Maha

10

Is there any update from OpenSearch regarding the issue?

The /_plugins/_security/api/ssl/transport/reloadcerts API is not functioning as expected in the scenarios mentioned above. Specifically, when the new refreshed certificate has a shorter expiry than the active certificate, the API throws an exception.

Is this restriction intentional, or are there plans to address this behavior?