Greetings to you all,
I have the honor of setting up OpenSearch in the Kubernetes cluster at our company. I use the normal opensearch helm chart for this. For the certificates I have built a self-signed CA using cert-manager. I used this to generate a self-signed certificate for the nodes and an admin certificate.
I had the certificates for plugins.security.ssl.http signed using cert-maanger and Let’s Encrypt. The communication of opensearch-dashboards with the Opensearch cluster works without any problems.
Now I would like to start the securityadmin.sh script with my admin certificate.
Unfortunately, I always get the following error message:
ERR: An unexpected SSLHandshakeException occured: Received fatal alert: certificate_unknown
I call the script with the following command:
/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
-cd /usr/share/opensearch/config/opensearch-security \
-icl \
-nhnv \
-dg \
-cacert /usr/share/opensearch/config/admin-certs/ca.crt \
-cert /usr/share/opensearch/config/admin-certs/tls.crt \
-key /usr/share/opensearch/config/admin-certs/tls.key
and my opensearch.yaml config looks like this:
opensearch.yml: |
cluster.name: opensearch-cluster
# Bind to all interfaces because we don't know what IP address Docker will assign to us.
network.host: 0.0.0.0
plugins.security.ssl_cert_reload_enabled: true
plugins:
security:
nodes_dn:
- 'CN=cert.opensearch.mydomain.com'
- 'CN=opensearch,OU=opensearch,O=mycompany,C=com'
ssl:
transport:
pemcert_filepath: certs/tls.crt
pemkey_filepath: certs/tls.key
pemtrustedcas_filepath: certs/ca.crt
enforce_hostname_verification: false
http:
enabled: true
pemcert_filepath: http-certs/tls.crt
pemkey_filepath: http-certs/tls.key
pemtrustedcas_filepath: http-certs/tls.crt
allow_unsafe_democertificates: false
allow_default_init_securityindex: true
authcz:
admin_dn:
- "CN=opensearch-admin,OU=opensearch,O=mycompany,C=com"
audit.type: internal_opensearch
enable_snapshot_restore_privilege: true
check_snapshot_restore_write_privileges: true
restapi:
roles_enabled: ["all_access", "security_rest_api_access"]
system_indices:
enabled: true
indices:
[
".opendistro-alerting-config",
".opendistro-alerting-alert*",
".opendistro-anomaly-results*",
".opendistro-anomaly-detector*",
".opendistro-anomaly-checkpoints",
".opendistro-anomaly-detection-state",
".opendistro-reports-*",
".opendistro-notifications-*",
".opendistro-notebooks",
".opendistro-asynchronous-search-response*",
]
So before I started using certificates signed by Let’s Encrypt for the http interface, I was also using a self-signed certificate for the http interface. Signed by the same CA.
So transport, admin and http certificate were all signed by my self-signed CA. And there everything was working.
But now I’m getting the above error. Is this because the http ca and the admin ca are different once? If so, how can I fix this? When I understand the docs correctly the admin and the node-transport certs need to be from the same CA. But how can I then call the securityadmin.sh ?
Which certificates should I use when executing the script? Currently, all values come from the self-signed certificate that I generated using cert-manager
Thank you very much and I look forward to any answer that might help to solve the problem. Unfortunately, I am slowly running out of ideas.