Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.15.0
Describe the issue:
We are operating OpenSearch deployed on Kubernetes through a Helm chart.
After adding an OIDC configuration to this running OpenSearch instance,
I attempted a helm upgrade, but only the existing Basic Auth configuration remains.
Even after uninstalling and reinstalling via Helm, the result was the same.
Upon further investigation, I found that when modifying the security config of an already running OpenSearch instance, the securityadmin.sh script must be executed.
So, I ran the following command in the container of the OpenSearch master node, but encountered the error below.
securityadmin.sh
-f config.yml -icl -nhnv
-cacert /usr/share/opensearch/config/certificates/admin/ca.crt
-cert /usr/share/opensearch/config/certificates/admin/tls.crt
-key /usr/share/opensearch/config/certificates/admin/tls.key
error…
Security Admin v7
Will connect to localhost:9200 ... done
ERR: An unexpected SSLHandshakeException occured: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
See https://opensearch.org/docs/latest/clients/java-rest-high-level/ for troubleshooting.
Trace:
javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
See https://opensearch.org/docs/latest/clients/java-rest-high-level/ for troubleshooting.
at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:948)
at org.opensearch.client.RestClient.performRequest(RestClient.java:333)
at org.opensearch.client.RestClient.performRequest(RestClient.java:321)
at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:572)
at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:162)
When running the following curl command in the container, I encountered the error below.
curl -k --cert ./tls.crt --key ./tls.key --cacert ./ca.crt -XGET 'https://localhost:9200/.opendistro_security/_search'
error…
curl: (56) OpenSSL SSL_read: OpenSSL/3.0.8: error:0A000416:SSL routines::sslv3 alert certificate unknown, errno 0
For a newly deployed OpenSearch instance with the same configuration (not the existing running OpenSearch), both the securityadmin.sh script and the above curl command work correctly.
Configuration:
The admin certificate was generated through cert-manager, and the admin_dn was configured with CN=admin only, as shown below.
authcz:
admin_dn:
- CN=admin
The Certificate Information through cert decoder is as follows:
Common Name: admin
Subject Alternative Names:
Organization:
Organization Unit:
Locality:
State:
Country:
Valid From: October 20, 2024
Valid To: January 18, 2025
Deleting the PVC and reinstalling would likely resolve the issue, but my goal is to retain the current data while only adding the OIDC configuration.
Any help would be appreciated.
Thanks!