Opensearch security plugin with certificate chain

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.5.0

Describe the issue:
I would like to configure the security plugin with a certificate chain, so that the CA certificate is composed by intermediate CA + root CA. If I put the entire chain (node certificate + intermediate CA + root CA) as value of
plugins.security.ssl.transport.pemcert_filepath
and
plugins.security.ssl.http.pemcert_filepath
the service starts, but the securityadmin.sh returns this message:

Security Admin v7
Will connect to HOSTNAME:9200 … done
ERR: An unexpected SSLHandshakeException occured: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
See Java high-level REST client - OpenSearch documentation for troubleshooting.
Trace:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
See Java high-level REST client - OpenSearch documentation for troubleshooting.
at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:947)
at org.opensearch.client.RestClient.performRequest(RestClient.java:332)
at org.opensearch.client.RestClient.performRequest(RestClient.java:320)
at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:462)
at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:159)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Do you have any idea how to solve this issue?
Thanks.

Configuration:

plugins.security.disabled: false
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/puppetcerts/chain.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/puppetcerts/node-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/puppetcerts/ca.pem
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/puppetcerts/chain.pem
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/puppetcerts/node-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/puppetcerts/ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:

  • /C=de/L=test/O=client/OU=client/CN=kirk

Relevant Logs or Screenshots:

@enricof plugins.security.ssl.http.pemcert_filepath should contain only intermediate CA + root CA.
Please be aware that the admin certificate should be signed by the same Intermediate/RootCA as the node cert. If they’re different then you need to add the admin’s RootCA to that chain.pem file too.

-----BEGIN CERTIFICATE-----
< intermediate CA cert> 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE-----
<Root CA cert > 
-----END CERTIFICATE-----

Hi Pablo
thanks for the fast response.
Do you mean I should remove the node certificate from che chain.pem file and put this chain.pem as value for plugins.security.ssl.http.pemcert_filepath and also for plugins.security.ssl.transport.pemcert_filepath ?
And what about plugins.security.ssl.transport.pemtrustedcas_filepath and plugins.security.ssl.http.pemtrustedcas_filepath? Should they contain only the root CA?

@enricof Just noticed, I should write plugins.security.ssl.http.pemtrustedcas_filepath.

In short:

  • plugins.security.ssl.http.pemtrustedcas_filepath- Intermediate/RootCA
  • plugins.security.ssl.transport.pemtrustedcas_filepath- Intermediate/RootCA
  • plugins.security.ssl.http.pemcert_filepath - only node certificate
  • plugins.security.ssl.transport.pemcert_filepath - only node certificate

Hi Pablo,
it works with an admin cert signed by the same Intermediate/RootCA as the node cert.
It does not work if the admin cert is signed by a different CA, even if I add the admin cert CA to the .pem file as value of *.pemtrustedcas_filepath as you suggested, such as:

-----BEGIN CERTIFICATE-----
< node intermediate CA cert> 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE-----
< node Root CA cert > 
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< admin Root CA cert> 
-----END CERTIFICATE-----

I tried also the reverse order with no success.
Do you have any idea?
Thanks for your help.

@enricof Does your admin certificate chain has intermediate and RootCA certificates?

Hi,
I’ve tried with the default kirk admin certificate. CA certificate is simple.
Enrico

@enricof Did you try with just rootCAs in pemtrustedcas and intermediate with node cert in both plugins.security.ssl.transport.pemcert_filepath and plugins.security.ssl.http.pemcert_filepath?

pemtrustedcas

-----BEGIN CERTIFICATE-----
< node Root CA cert > 
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< admin Root CA cert> 
-----END CERTIFICATE-----

pemcert

-----BEGIN CERTIFICATE-----
< node cert > 
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< node intermediate CA cert > 
-----END CERTIFICATE-----

Hi Pablo,
I’ve tried but I have the same error:

ERR: An unexpected SSLHandshakeException occured: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Enrico

hello, have you ever managed to solve the problem @enricof ?
because i happened to encounter the exact same problem and with the same configuration :sweat_smile:

I too encountered this problem. I have one CA for the REST / transport layer certificates (trusted by browsers) and another self-signed CA for the admin certificate.

Pablo’s comment helped guide me in the right direction: https://forum.opensearch.org/t/opensearch-security-plugin-with-certificate-chain/13066/8

I configured pemtrustedcas as a concatenation of my two root CA certificates.

I configured pemcert as the node cert concatenated with all intermediate certificates except the root CA certificate.

I used the same pemtrustedcas and pemcert file for the REST and transport layer.

What worked for me was to run the securityadmin.sh script with a -cacert file argument using the same file as pemtrustedcas (a concatenation of the two different root CA certificates).

I hope this helps someone struggle less than I did :smiley: