Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch: 2.9.0
OS: Debian 12
Describe the issue:
I installed OpenSearch version 2.9.0
on a Debian 12
server and wanted to set it up for production use. I have set up SSL for both transport and http, but I get a private key error on startup. Error message is java.security.InvalidKeyException: IOException : algid parse error, not a sequence
. I read in the documentation that PKCS#8 SSL key format is required, but I found several issues and merged PRs for adding support for PKCS#1. I see on GitHub that even PKCS#1 is being tested together with PKCS#8 and the tests are running without any problems. I tried setting my configuration in /etc/opensearch/opensearch.yml
exactly according to that test for PKCS#1 and I still get the same error.
Because of the accesses to the certificates themselves in the /etc/ssl
folder, I had to edit the /etc/opensearch/opensearch-performance-analyzer/opensearch_security.policy
file, where I added permissions to read the certificates and private key. When I added permission java.security.AllPermission;
to the same file in the grant
block, it looks like OpenSearch almost starts, but returns an error:
ERROR: [1] bootstrap checks failed
[1]: granting the all permission effectively disables security
It’s clear to me that using permission java.security.AllPermission;
is not an option in any case, but it looks like this will enable the internal conversion from my PKCS#1 to the required PKCS#8.
Is there any permission that I need to write to this file to allow internal conversion between PKCS#1 and PKCS#8? I am not familiar with this at all and any help would be appreciated.
Thank you in advance for your help
Configuration:
/etc/opensearch/opensearch.yml:
...
### Transport SSL
plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.pemcert_filepath: /etc/ssl/certs/cert.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/ssl/private/cert.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/ssl/certs/rootca.pem
plugins.security.ssl.transport.enforce_hostname_verification: true
### HTTP SSL
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/ssl/certs/cert.pem
plugins.security.ssl.http.pemkey_filepath: /etc/ssl/private/cert.key
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/ssl/certs/rootca.pem
plugins.security.ssl.http.clientauth_mode: REQUIRE
### DEMO
#plugins.security.authcz.admin_dn:
# - CN=kirk,OU=client,O=client,L=test, C=de
### Other
plugins.security.audit.type: internal_opensearch
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task">node.max_local_storage_nodes: 3
/etc/opensearch/opensearch-performance-analyzer/opensearch_security.policy:
grant {
permission java.lang.management.ManagementPermission "control";
permission java.net.SocketPermission "localhost:9600","connect,resolve";
permission java.lang.RuntimePermission "getClassLoader";
//permission java.security.AllPermission; // solves conversion???
permission java.io.FilePermission "/etc/ssl/certs/rootca.pem","read";
permission java.io.FilePermission "/etc/ssl/certs/cert.pem","read";
permission java.io.FilePermission "/etc/ssl/private/cert.key","read";
};
grant codebase "file:${java.home}/../lib/tools.jar" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/jdk.attach" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/jdk.internal.jvmstat" {
permission java.security.AllPermission;
};
Relevant Logs or Screenshots:
Log from /var/log/opensearch/opensearch.log
: OpenSearch log - Pastebin.com