@michael.anderton Your docker-compose.yml certificates mappings are as follows
volumes:
- opensearch-data2:/usr/share/opensearch/data
- ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
- ./cert.pem:/usr/share/opensearch/config/cert.pem
- ./key.pem:/usr/share/opensearch/config/key.pem
- ./root.pem:/usr/share/opensearch/config/root.pem
However, your opensearch.yml file expects the following.
plugins.security.ssl.transport.pemcert_filepath: opensearch-cert.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root.pem
plugins.security.ssl.transport.pemkey_filepath: opensearch-key.pk8
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: opensearch-cert.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root.pem
plugins.security.ssl.http.pemkey_filepath: opensearch-key.pk8
In a result, your OpenSearch node fails to use your custom certificates.
All security plugin config files are either in
/usr/share/opensearch/plugins/opensearch-security/securityconfig
up to version 1.3
or
/usr/share/opensearch/config/opensearch-security
from version 2.x
Since you’ve not defined config.yml in mappings, OpenSearch will use default config.yml with basic auth enabled.