Hi. I’m trying to use opensearch-benchmark with an existing cluster. What settings do I need to configure if I want to provide the benchmark with the necessary certificates to connect to this cluster? I’ve searched the docu forth and back, but could only find examples where certificates were not used.
I mean something like:
… —client-options=timeout:60,basic_auth_user:,basic_auth_password:,verify_certs:true,cacert:admin.crt.pem
TNXIA - Gunnar
@gunnar Do you use self-signed certificates? Is admin.crt.pem a CA certificate?
Have you tried ca_certs instead of cacerts? Also try using full path to the admin.crt.pem.
Hi Pablo, thanks for your help - you’re right: I managed to get it working with the following parameters: ca_certs, client_cert and client_key. My fault was, that I forgot to add the key file…
One more comment (another pitfall I fell into): Our original certificate chain was ancient, stemming back to an OpenDistro installation. We never changed the way those certs are generated: Hence the CA was a “Version 1” certificate, w/o X.509 extensions (Basic Constraints, Key Usage, …).
While Java accepts this without complaint (the OpenSearch cluster works), for Python clients that CA is technically invalid => opensearch-benchmark complains about an invalid CA certificate.
Many TNX - Gunnar