Describe the issue:
updated new 1yr certs on dashboards with azure ad integration but certs not being updated on restart of opensearch,opensearch-dashboards both
these have new crt key root files updated but not reflecting these new changes in browser dashboards
if the certs are saved in security index ?
securityadmin.sh may not be needed ?
tried to run on config folder inside container as well
./securityadmin.sh -cd …/…/…/config/ -icl -nhnv -cacert …/…/…/config/root-ca.pem -cert …/…/…/config/kirk.pem -key …/…/…/config/kirk-key.pem
Security Admin v7
Will connect to localhost:9200 … done
Connected as “CN=kirk,OU=client,O=client,L=test,C=de”
OpenSearch Version: 2.2.0
Contacting opensearch cluster ‘opensearch’ and wait for YELLOW clusterstate …
Clustername: opensearch-cluster
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Legacy index ‘.opendistro_security’ (ES 6) detected (or forced). You should migrate the configuration!
Populate config from /usr/share/opensearch/config
ERR: Seems …/…/…/config/config.yml is not in legacy format: java.io.FileNotFoundException: …/…/…/config/config.yml (No such file or directory)
ERR: Seems …/…/…/config/roles.yml is not in legacy format: java.io.FileNotFoundException: …/…/…/config/roles.yml (No such file or directory)
@kris could use some help
my certs are being cached somewhere and not taking new files ?
any api query to check where cert file path in use or if in _opendistro/_security/ _plugins/_security/
anyway to force reload new certs
@infodata secruityadmin.sh tool doesn’t manage OpenSearch and OpenSearch Dashboards certificates. These must be configured either in opensearch.yml or opensearch_dashboards.yml files.
docker compose up with certs from local volume path
the certs are not being updated
I tried to move out files and dashboards do complain about missing .key file but somehow certs are cached and not taking new file input value
anyway to check where running cert on dashboards path or use from
docker compose that works and cert file update does show up on another server very similar config with network volume which stores certs,configs
cat /usr/share/opensearch/config/dc-dev-os-node1-ad.yml
version: ‘3’
services:
opensearch-node1:
image: opensearchproject/opensearch:2.2.0
logging:
options:
max-size: “20m”
max-file: “2” #image: opensearchproject/opensearch:2.0.1
container_name: opensearch-node1
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch-node1
- discovery.seed_hosts=opensearch-node1
- cluster.initial_master_nodes=opensearch-node1
- bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
- “OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m” # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536 # maximum number of open files for the OpenSearch user, set to at least 65536 on modern systems
hard: 65536
volumes:
- /usr/share/opensearch/data:/usr/share/opensearch/data
- /usr/share/opensearch/config:/usr/share/opensearch/config
- /usr/share/opensearch/config/opensearch-security/config-ad.yml:/usr/share/opensearch/config/opensearch-security/config.yml
- /usr/share/opensearch/config/opensearch-ad.yml:/usr/share/opensearch/config/opensearch.yml
ports:
- 9200:9200
- 9600:9600 # required for Performance Analyzer
networks:
- opensearch-net