OpenSearch is not working after provide SSL certificates

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch → 2.16.0
Dashboard → 2.3.0

Describe the issue:
OpenSearch cluster is not working after swtich from opensearch self-generated certificates to SSL certificates.

It was working perfectly fine using the default opensearch self-generated certificates, with the demo files and http enable for transport nodes. The issue started once I created my own ssl certificates and remove the http part from the transport nodes.

I’ve been following the documentation from (opensearch-k8s-operator/docs/userguide/main.md at main · opensearch-project/opensearch-k8s-operator · GitHub), I’ve created my own ssl certificates following the documentation.

I’ve created my own tls secrets using ssl certificates (one for admin and one for all the transport nodes), also my own admin-secret for a custom username and password and security config secret, including all the files but updating the admin hash with the new password.

One thing I noticed is that even though I provided the custom adminsecret, opensearch is creating a new one (but with the same values I provided).

The security pod is returning an error stating that “Waiting to connect to the cluster” as the screenshot below

I’m multiple errors from all nodes, as the ones below
{“type”:“log”,“@timestamp”:“2024-09-25T21:14:21Z”,“tags”:[“warning”,“savedobjects-service”],“pid”:1,“message”:“Unable to connect to OpenSearch. Error: Given the configuration, the ConnectionPool was not able to find a usable Connection for this request.”}

{“type”:“log”,“@timestamp”:“2024-09-25T21:18:08Z”,“tags”:[“error”,“opensearch”,“data”],“pid”:1,“message”:“[ConnectionError]: write EPROTO 139884884653952:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:…/deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n”}

[2024-09-25T21:46:39,346][ERROR][o.o.s.a.BackendRegistry ] [opensearch-bootstrap-0] Not yet initialized (you may need to run securityadmin)

[2024-09-25T21:46:19,167][ERROR][o.o.s.l.BuiltinLogTypeLoader] [opensearch-bootstrap-0] Failed loading builtin log types from disk!

[2024-09-25T21:47:07,816][ERROR][o.o.s.t.SecurityRequestHandler] [opensearch-bootstrap-0] OpenSearchException[Transport client authentication no longer supported.]

[2024-09-25T21:46:20,958][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [opensearch-bootstrap-0] Failure no such index [.opendistro_security] retrieving configuration for [ACTIONGROUPS, ALLOWLIST, AUDIT, CONFIG, INTERNALUSERS, NODESDN, ROLES, ROLESMAPPING, TENANTS, WHITELIST] (index=.opendistro_security)

Configuration:

security:                   # To have the Operator generate the certificates, you only need to set the generate and perNode fields to true (other fields can be omitted)        config:                   # Everything related to the securityconfig
      securityConfigSecret:
        name: securityconfigsecret.name               # Name of the secret that contains the securityconfig files
      adminSecret:
        name: adminsecret.name
      adminCredentialsSecret:
        name: admincredentialssecret.name
    tls:                     # Everything related to TLS configuration
      transport:             # Configuration of the transport endpoint
        generate: false      # Have the operator generate and sign certificates
        perNode: false       # Separate certificate per node
        secret:
          name: secret.name             # Name of the secret that contains the provided certificate
        caSecret:
          name: casecret.name            # Name of the secret that contains a CA the operator should use.
        nodesDn: [CN=admin]         # List of certificate DNs allowed to connect
        adminDn: [CN=opensearch]         # List of certificate DNs that should get admin access

Relevant Logs or Screenshots:

image1236×238 22 KB

Hi @GTGabaaron ,

How did you install OpenSearch? Could you please share opensearch.yml ?

@GTGabaaron,

Is this issue the same as the one discussed in the following topic?

Hello @Eugene7, apologies for the late reply. Not, its not related. It is a side installation using self-generated certificates but I’m still on the road to install it using SSL certificates.

I’ve installed OpenSearch using the operator. Pablo has helped me to clarify something related to the TLS block int he security plugin.

Below is my opensearch.yaml file →
For the record, I’m using a single certificate for all transport nodes in order to simplify the process and since its mentioned in the documentation that this is feasible.

---
apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
  name: opensearch
  namespace: opensearch
spec:
  bootstrap: {}
  confMgmt:
    smartScaler: false
  general:
    version: "2.16.0"
    httpPort: 9200
    vendor: opensearch
    image: opensearchproject/opensearch:2.16.0
    serviceName: opensearch
    monitoring:
      enable: false
    drainDataNodes: true
    setVMMaxMapCount: true
  dashboards:
    enable: true
    version: "2.16.0"
    replicas: 1
    tls:
      enable: true
      generate: false
      secret:
        name: admin-cert
      caSecret:
        name: ca-cert
    opensearchCredentialsSecret:
      name: admin-pwd
    resources:
	  requests:
         memory: "512Mi"
         cpu: "200m"
      limits:
         memory: "512Mi"
         cpu: "200m"
  nodePools:
    - component: managers
      pdb:
        enable: true
        minAvailable: 2
      replicas: 3
      diskSize: "30Gi"
      persistence:
        pvc:
          storageClass: managed
          accessModes:
            - ReadWriteOnce
      nodeSelector: {}
      resources:
        requests:
          memory: "2Gi"
          cpu: "200m"
        limits:
          memory: "2Gi"
          cpu: "500m"
      roles:
        - "cluster_manager"
    - component: nodes
      replicas: 3
      diskSize: "100Gi"
      persistence:
        pvc:
          storageClass: managed
          accessModes:
            - ReadWriteOnce
      nodeSelector: {}
      resources:
	    requests:
          memory: "2Gi"
          cpu: "500m"
        limits:
          memory: "2Gi"
          cpu: "1000m"
      roles:
        - data
        - ingest
  security:   
    config:                                             # Everything related to the securityconfig
      securityConfigSecret:
        name: securityconfig               # Name of the secret that contains the securityconfig files
      adminSecret:
        name: admin-cert
      adminCredentialsSecret:
        name: admin-pwd
    tls:                     # Everything related to TLS configuration
      transport:             # Configuration of the transport endpoint
        #enforce_hostname_verification: false
        generate: false      # Have the operator generate and sign certificates
        perNode: false       # Separate certificate per node
        secret:
          name: nodes-cert             # Name of the secret that contains the provided certificate
        caSecret:
          name: ca-cert             # Name of the secret that contains a CA the operator should use.
        nodesDn: [CN=admin-opensearch]         # List of certificate DNs allowed to connect
        adminDn: [CN=nodes-opensearch]         # List of certificate DNs that should get admin access

To check your certificates, could you please share the output of the following commands?
Please remove or change sensitive data.

openssl x509 -in <your-node-certificate-name> -text -noout

openssl x509 -in <your-root-ca-name> -text -noout

Have you added the configuration for the REST layer as per the documentation below?

Hi @Eugene7 you can find the outcome below.
Please note that the values for C, ST and O were auto-generated by openssl command, I only provided the OU and CN following the examples from the values in the OpenSearch self-generated certs.

	NODES Certificate

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            67:c2:4d:fb:1b:a6:57:4a:ca:0f:77:4e:08:76:05:83:0e:ba:0b:2d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, OU = opensearch, CN = opensearch
        Validity
            Not Before: Sep 27 20:13:54 2024 GMT
            Not After : Sep 25 20:13:54 2034 GMT
        Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, OU = opensearch, CN = opensearch
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e8:59:d0:85:83:e0:7f:72:80:12:bd:e3:58:16:
                    6a:59:b4:d9:64:5d:86:85:68:f6:6e:b4:21:af:4a:
                    db:5c:e6:ce:f1:66:87:4f:41:27:f2:d2:c5:a8:38:
                    01:38:3b:3e:ac:a8:02:ff:8a:0e:f2:d4:89:61:1d:
                    cc:26:c5:f7:36:9e:16:39:f9:78:d7:ec:cb:cf:b0:
                    66:d8:dd:0f:4e:8b:73:ff:c4:95:50:92:1c:61:73:
                    ec:fd:f5:ec:4b:96:b5:b2:81:e8:25:49:16:26:ae:
                    ef:a2:f1:36:dc:d4:7c:1c:22:0e:90:2d:68:c3:94:
                    f3:a0:a9:6e:53:bc:57:45:47:0a:63:07:7f:89:12:
                    32:c6:91:b9:37:db:d0:93:9e:e1:00:bb:d2:2d:3f:
                    ba:e4:5e:84:77:ab:e4:54:b9:25:e2:c2:68:9a:f7:
                    a1:41:ea:59:2f:f2:1c:20:a7:1b:85:e6:0a:32:dc:
                    bc:f6:e2:f3:ed:fc:d7:af:44:4d:8d:f1:fd:4b:6d:
                    a2:4b:f1:3f:85:06:17:a6:a8:69:00:47:5f:f2:98:
                    5c:e9:97:d7:54:ef:0a:07:2a:bb:a5:2d:e3:c3:2d:
                    c0:90:bd:fc:63:4d:8c:66:f3:d5:7e:3f:c5:6b:ca:
                    48:36:2c:80:a0:65:28:05:a4:77:a2:0e:44:d5:56:
                    ab:8d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:opensearch.opensearch.svc.cluster.local
            X509v3 Subject Key Identifier:
                69:14:9E:7C:5E:D3:DD:D9:2C:BA:B3:BE:C1:3E:8D:12:77:AD:61:95
            X509v3 Authority Key Identifier:
                D1:87:1E:D0:18:0A:F3:42:89:8F:C8:12:D0:BF:FE:BB:99:8C:19:39
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        15:79:b7:d4:4a:03:f8:c8:88:7b:37:e2:d5:82:cd:72:7f:53:
        81:46:56:47:60:91:19:dd:97:1c:52:a8:79:80:07:b3:13:1b:
        e3:e0:1f:e1:ca:fa:24:d8:ce:54:fa:89:44:9d:a3:ad:9f:4b:
        94:19:26:f9:fb:e5:79:b0:d5:bb:54:24:af:f4:89:be:65:12:
        d7:98:78:44:89:1b:09:19:84:95:ec:a8:13:9d:73:a9:81:8c:
        0d:33:d7:77:40:82:93:37:91:3b:4c:09:ff:a0:8e:3e:8e:64:
        c2:d5:0d:7e:df:36:3e:19:a5:4c:ee:47:d1:cb:f3:49:d9:f1:
        32:9a:48:46:ba:68:6a:62:d1:7f:49:45:03:14:5b:43:d9:df:
        5a:c6:50:13:ce:e0:e2:32:f1:6e:9a:0c:b2:af:67:93:7b:cf:
        9e:2e:31:b2:42:ec:9c:40:c5:55:8a:d5:18:78:99:9c:e1:45:
        c1:88:c5:11:d6:34:d2:00:f4:4a:b0:78:6f:9a:c5:7b:cf:17:
        45:a9:3c:31:9b:06:47:47:1a:22:fe:15:67:e1:1e:2a:56:2a:
        be:43:71:78:5d:ee:cb:34:ad:2b:ce:45:f3:7b:4a:9b:93:f4:
        0a:75:52:c5:8c:ec:c7:2d:5d:2d:c5:7e:89:91:66:42:2f:22:
        3c:b5:63:83

	ROOT CA Certificate

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4e:a2:a8:7b:34:19:4b:b0:32:80:98:c3:99:d0:55:c9:2b:a6:d3:c1
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, OU = opensearch, CN = opensearch
        Validity
            Not Before: Sep 27 19:57:08 2024 GMT
            Not After : Sep 25 19:57:08 2034 GMT
        Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, OU = opensearch, CN = opensearch
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a8:f1:e3:16:cc:55:f2:80:76:8b:d5:6a:31:db:
                    1f:bd:fa:1d:d7:7a:d5:d6:65:f4:59:9d:56:53:bd:
                    bb:7a:71:81:7a:f8:78:c2:f3:4a:4b:a3:dc:a2:c7:
                    6b:73:1a:fe:ba:62:67:88:5d:c1:96:87:e2:b6:1e:
                    3a:e8:66:8f:a9:33:4b:d1:e4:55:11:52:02:6e:19:
                    0d:ac:c5:13:fe:75:d6:1b:56:6e:15:35:10:a3:ef:
                    88:67:7f:7a:84:72:1b:cc:1e:8b:a6:a8:62:ad:ce:
                    85:22:69:c4:71:5d:16:ed:00:bf:66:8e:7a:8c:3d:
                    4e:43:93:90:06:9b:a8:16:87:01:e4:ec:da:2c:54:
                    d3:a0:02:d1:59:9c:55:bd:6b:4a:5b:ec:e6:d8:16:
                    25:a8:27:94:97:f6:f7:b5:6b:13:c1:6a:ec:90:3b:
                    80:8c:56:84:57:68:4a:3a:f3:56:b2:f4:a4:be:e7:
                    8a:70:20:14:2f:dc:1f:f5:e4:c1:74:23:34:3a:84:
                    f5:8c:ab:02:84:e4:16:a0:8d:82:bc:01:cd:7a:03:
                    58:7a:d9:e6:ae:70:a9:79:83:ba:ad:18:bc:39:f9:
                    d1:e0:df:9d:92:31:12:de:46:6f:8d:cb:81:02:d4:
                    8d:43:6d:08:e9:e3:a1:9f:28:24:22:f0:26:1f:98:
                    e8:67
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                D1:87:1E:D0:18:0A:F3:42:89:8F:C8:12:D0:BF:FE:BB:99:8C:19:39
            X509v3 Authority Key Identifier:
                D1:87:1E:D0:18:0A:F3:42:89:8F:C8:12:D0:BF:FE:BB:99:8C:19:39
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        37:0a:4b:ea:52:4b:d2:62:bf:f1:14:4a:5d:d2:83:0a:26:be:
        11:76:9d:92:fc:ea:0c:fc:a3:2c:5a:a5:04:ef:f9:1c:fa:f5:
        50:95:2f:f2:08:a8:f0:cb:1b:80:e0:4a:a8:16:6a:92:49:d2:
        d8:c5:a3:03:bf:c6:0d:20:db:87:3f:c0:ab:05:b4:ea:a7:7e:
        d1:96:ca:51:f3:c1:90:2d:82:a0:b0:55:fb:3b:7f:7a:f7:a6:
        a4:09:e0:74:52:93:58:01:95:bb:82:60:cc:bf:b2:0e:d6:f9:
        1a:16:63:07:ca:03:90:8f:eb:c5:ef:77:c9:6f:2d:ea:6b:9e:
        3e:50:9a:88:0a:a0:56:7a:30:ec:76:47:a4:d5:78:6e:0c:4e:
        90:52:d5:13:70:72:38:5c:bc:f2:e5:c5:09:74:29:ba:96:d0:
        cd:52:56:fa:c7:ab:b8:28:c0:72:10:e6:03:cf:40:37:d1:ff:
        e5:5f:76:aa:14:fc:82:2c:8b:3b:ba:4f:e9:ef:d8:fb:e5:e8:
        bb:bd:02:54:35:53:e8:13:20:c2:11:d2:a9:48:ab:19:3c:78:
        34:bc:a7:37:4b:15:5b:57:2d:44:a6:05:c3:d7:c3:b1:47:87:
        75:6f:c0:a9:ae:40:4c:e8:5d:2c:87:27:18:ef:29:30:f0:b9:
        c3:1b:d9:18

@GTGabaaron ,

Did you create CA certificate separately for both transport layer of nodes and http connection? (by the help of @pablo )

because bootstrap.StartupException will be happed from o.s.s.DefaultSecurityKeyStore.initTransportSSLConfig
if you set like the below:

# opensearchcluster kind (CRD)
  security:
    tls:
      transport:
        generate: true
        perNode: true
      # https://opensearch-project.github.io/opensearch-k8s-operator/docs/userguide/main.html#node-httprest-api
      http:
        generate: false
        secret:
          name: tls # a secret for ca.crt, tls.crt, tls.key

Likely root cause: OpenSearchException[plugins.security.ssl.transport.keystore_filepath or plugins.security.ssl.transport.server.pemcert_filepath and plugins.security.ssl.transport.client.pemcert_filepath must be set if transport ssl is requested.]

Hi @yeonghyeonKo no, I only created two certificates, one for the admin and another one for the transport nodes following this guide (Generating self-signed certificates - OpenSearch Documentation).

However, looking at your snipped code, looks like that I missed to include the security.http.generate=false because it is not mentioned on the documentation, I as mentioned to Pablo on another post about the openserach self-generated certs.

Node Transport
OpenSearch cluster nodes communicate with each other using the OpenSearch transport protocol (port 9300 by default). This is not exposed externally, so in almost all cases, generated certificates should be adequate.

To configure node transport security you can use the following fields in the OpenSearchCluster custom resource:

# ...
spec:
  security:
    tls:  # Everything related to TLS configuration
      transport:  # Configuration of the transport endpoint
        generate: true  # Have the operator generate and sign certificates
        perNode: true  # Separate certificate per node
        secret:
          name:  # Name of the secret that contains the provided certificate
        caSecret:
          name:  # Name of the secret that contains a CA the operator should use
        nodesDn: []  # List of certificate DNs allowed to connect
        adminDn: []  # List of certificate DNs that should get admin access
# ...
To have the Operator generate the certificates, you only need to set the generate and perNode fields to true (all other fields can be omitted). The Operator will then generate a CA certificate and one certificate per node, and then use the CA to sign the node certificates. These certificates are valid for one year. Note that the Operator does not currently have certificate renewal implemented.

I’ll include this block into my values files for opensearch.yaml and test it.

I got a new message with more details, this one comes from the security pod stating that “I’m not using an admin certificate but a client one”. Is there any additional step that I need to do to register as an actual “admin” certificate?

@GTGabaaron This regards admin_dn in opensearch.yml. It must match the exact certificate DN. Please follow the suggestion returned by the script.

@pablo , I commented how we can overwrite opensearch.yml using ConfigMap in K8s container environment. Will it be helpful in @GTGabaaron 's case?

Hi @pablo , actually the values in the opensearch.yml are now matching the ones in the error message. I updated them after include the security.tls.http.generate=false block mentioned by @yeonghyeonKo.

@yeonghyeonKo question here, I used the same transport-nodes certificate for the security.tls.http block, is that the correct way or should I create a third separate one for it or use the same as the admin-cert ?

image804×427 7.88 KB

@GTGabaaron That is correct. You can use the same certificate for the HTTP and Transport layer.
You can’t use the admin certificate as a node certificate for two reasons.
First, it is an admin certificate and should never be exposed. This certificate can alter security configuration without a password.
Second, the admin certificate is only a client certificate.

For transport and http layer communication, you need a certificate with both server and client authentication.

            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication

For an admin certificate, you must use only a client certificate.

            X509v3 Extended Key Usage:
                 TLS Web Client Authentication

If your admin certificate has server and client authentication, the secruityadmin.sh will fail to connect with the OpenSearch cluster.
If your node certificate has only client authentication, the transport and http layer communication will fail.

HI @pablo, thanks for the tip. I’ll have a look at this in order to recreate the certs with the corresponding TLS values and test it.

Hi @pablo I’ve update both certificates with the corresponding extended key usage, but still I’m getting the same error in the security pod even though the values on the opensearch.yaml for nodesDn and adminDn matches the one in the certs.

image742×425 7.28 KB

This is the new content of the cert, which now include the TLS extendedKeyUsage.

ADMIN-CERT

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0b:03:80:0f:4d:12:26:55:c7:36:21:5e:4a:68:b5:62:56:2f:77:fe
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = opensearch, O = opensearch, OU = opensearch, CN = opensearch
        Validity
            Not Before: Oct 15 18:44:24 2024 GMT
            Not After : Oct 13 18:44:24 2034 GMT
        Subject: C = US, ST = TX, O = opensearch, OU = opensearch, CN = admin
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9d:fe:ab:14:c1:f9:6c:1b:56:9b:d7:4d:29:77:
                    c8:48:78:20:c2:77:b3:b5:3f:24:c2:6f:28:0b:16:
                    3e:45:f5:1b:a2:21:25:a9:e0:4f:de:46:8e:53:3f:
                    f2:6c:64:b4:dd:ee:da:51:62:95:15:34:0f:6c:16:
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Subject Key Identifier:
                59:49:CF:7E:1C:3C:E6:C1:3C:5B:CE:E2:99:A9:47:24:89:68:53:3B
            X509v3 Authority Key Identifier:
                20:59:72:DE:DC:90:17:34:44:6B:8F:EE:5E:73:41:F6:47:EF:92:EA

NODES-CERT

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0c:16:43:a6:21:26:ba:cc:06:ec:56:fb:a9:72:57:4b:33:3f:95:9d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = opensearch, O = opensearch, OU = opensearch, CN = opensearch
        Validity
            Not Before: Oct 15 18:49:20 2024 GMT
            Not After : Oct 13 18:49:20 2034 GMT
        Subject: C = US, ST = TX, O = opensearch, OU = opensearch, CN = opensearch
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ab:e4:b7:5e:7e:6b:fa:f8:0c:d0:55:be:dc:e0:
                    a0:25:20:37:cb:bb:f8:23:ad:25:15:5a:86:ff:f4:
                    b2:88:5a:35:79:67:3b:1d:d5:e2:39:cb:a1:6a:56:
                    cb:88:e7:e3:f0:86:22:2f:30:5a:44:a7:6c:f2:55:
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier:
                6A:5C:2E:23:10:64:C2:DE:95:AB:DF:5A:67:3C:82:DF:9C:A1:0F:8A
            X509v3 Authority Key Identifier:
                20:59:72:DE:DC:90:17:34:44:6B:8F:EE:5E:73:41:F6:47:EF:92:EA

@GTGabaaron, do you have the same entry in the opensearch.yml for the running pods?

Hi @pablo , yes the same entry is located in the opensearch.yaml for the pods.

@GTGabaaron Did you recreate the OpenSearch pods? The opensearch.yml content is picked only during the OpenSearch service startup. If you changed the opensearch.yml in the configmap it won’t update the pods unless they’ll be recreated.

Hi @pablo , yes every time I’ve made any changes to the opensearch.yml I destroy and create the whole opensearch cluster again.