Unable to start OpenSearch with PKCS#1 private key

karelkryda · August 3, 2023, 1:59pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch: 2.9.0
OS: Debian 12

Describe the issue:
I installed OpenSearch version 2.9.0 on a Debian 12 server and wanted to set it up for production use. I have set up SSL for both transport and http, but I get a private key error on startup. Error message is java.security.InvalidKeyException: IOException : algid parse error, not a sequence. I read in the documentation that PKCS#8 SSL key format is required, but I found several issues and merged PRs for adding support for PKCS#1. I see on GitHub that even PKCS#1 is being tested together with PKCS#8 and the tests are running without any problems. I tried setting my configuration in /etc/opensearch/opensearch.yml exactly according to that test for PKCS#1 and I still get the same error.
Because of the accesses to the certificates themselves in the /etc/ssl folder, I had to edit the /etc/opensearch/opensearch-performance-analyzer/opensearch_security.policy file, where I added permissions to read the certificates and private key. When I added permission java.security.AllPermission; to the same file in the grant block, it looks like OpenSearch almost starts, but returns an error:

ERROR: [1] bootstrap checks failed
[1]: granting the all permission effectively disables security

It’s clear to me that using permission java.security.AllPermission; is not an option in any case, but it looks like this will enable the internal conversion from my PKCS#1 to the required PKCS#8.

Is there any permission that I need to write to this file to allow internal conversion between PKCS#1 and PKCS#8? I am not familiar with this at all and any help would be appreciated.

Thank you in advance for your help

Configuration:
/etc/opensearch/opensearch.yml:

...
### Transport SSL
plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.pemcert_filepath: /etc/ssl/certs/cert.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/ssl/private/cert.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/ssl/certs/rootca.pem
plugins.security.ssl.transport.enforce_hostname_verification: true

### HTTP SSL
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/ssl/certs/cert.pem
plugins.security.ssl.http.pemkey_filepath: /etc/ssl/private/cert.key
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/ssl/certs/rootca.pem
plugins.security.ssl.http.clientauth_mode: REQUIRE

### DEMO
#plugins.security.authcz.admin_dn:
#  - CN=kirk,OU=client,O=client,L=test, C=de

### Other
plugins.security.audit.type: internal_opensearch
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task">node.max_local_storage_nodes: 3

/etc/opensearch/opensearch-performance-analyzer/opensearch_security.policy:

grant {
    permission java.lang.management.ManagementPermission "control";
    permission java.net.SocketPermission "localhost:9600","connect,resolve";
    permission java.lang.RuntimePermission "getClassLoader";

    //permission java.security.AllPermission;    // solves conversion???

    permission java.io.FilePermission "/etc/ssl/certs/rootca.pem","read";
    permission java.io.FilePermission "/etc/ssl/certs/cert.pem","read";
    permission java.io.FilePermission "/etc/ssl/private/cert.key","read";
};

grant codebase "file:${java.home}/../lib/tools.jar" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.attach" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.internal.jvmstat" {
    permission java.security.AllPermission;
};

Relevant Logs or Screenshots:
Log from /var/log/opensearch/opensearch.log: OpenSearch log - Pastebin.com

pablo · August 4, 2023, 10:46am

@karelkryda What permissions and owner:group did you set for the SSL files and its parent folders?

karelkryda · August 4, 2023, 11:31am

@pablo based on Debian structure for /etc/ssl, permissions are as follows:

/etc/ssl: drwxr-xr-x (root:root)
/etc/ssl/certs: drwxr-xr-x (root:root)
/etc/ssl/private: drwx--x--- (root:ssl-cert)

/etc/ssl/certs/rootca.pem: -rw-r--r-- (root:root)
/etc/ssl/certs/cert.pem: -rw-r--r-- (root:root)
/etc/ssl/private/cert.key: -rw-r----- (root:ssl-cert)

Ofc, I added opensearch user into the ssl-cert group.

pablo · August 11, 2023, 1:45pm

@karelkryda OpenSearch service is running as a non-root user - opensearch.
According to your comment, opensearch user is part of ssl-cert group, but that group has been only assigned to /etc/ssl/private folder and cert.key file.

OpenSearch service access all of the listed files.

Also, did you use any password with your cert.key file?

karelkryda · August 11, 2023, 5:37pm

@pablo As you can see from the attached information, the other folders and files can be read by everyone (except the private key folder). The private key is not encrypted in any way, it is an unencrypted private key. When I converted the private key using openssl to PKCS#8 format and put it in the same location (i.e. /etc/ssl/private), OpenSearch started fine. However, according to the available information, it should also start without any problems with the provided private key in PKCS#1 format.