Update new 1yr cert for dashboard

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
“number” : “2.2.0”
docker compose

Describe the issue:
updated new 1yr certs on dashboards with azure ad integration but certs not being updated on restart of opensearch,opensearch-dashboards both

“number” : “2.2.0”

Relevant Logs or Screenshots:


these have new crt key root files updated but not reflecting these new changes in browser dashboards
if the certs are saved in security index ?

securityadmin.sh may not be needed ?
tried to run on config folder inside container as well
./securityadmin.sh -cd …/…/…/config/ -icl -nhnv -cacert …/…/…/config/root-ca.pem -cert …/…/…/config/kirk.pem -key …/…/…/config/kirk-key.pem

[opensearch@0821f64847e8 tools]$ ./securityadmin.sh -cd …/…/…/config/ -icl -nhnv -cacert …/…/…/config/root-ca.pem -cert …/…/…/config/kirk.pem -key …/…/…/config/kirk-key.pem

** This tool will be deprecated in the next major release of OpenSearch **
** [DEPRECATION] Security Plugin Tools will be replaced · Issue #1755 · opensearch-project/security · GitHub **

Security Admin v7
Will connect to localhost:9200 … done
Connected as “CN=kirk,OU=client,O=client,L=test,C=de”
OpenSearch Version: 2.2.0
Contacting opensearch cluster ‘opensearch’ and wait for YELLOW clusterstate …
Clustername: opensearch-cluster
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Legacy index ‘.opendistro_security’ (ES 6) detected (or forced). You should migrate the configuration!
Populate config from /usr/share/opensearch/config
ERR: Seems …/…/…/config/config.yml is not in legacy format: java.io.FileNotFoundException: …/…/…/config/config.yml (No such file or directory)
ERR: Seems …/…/…/config/roles.yml is not in legacy format: java.io.FileNotFoundException: …/…/…/config/roles.yml (No such file or directory)

@kris could use some help
my certs are being cached somewhere and not taking new files ?
any api query to check where cert file path in use or if in _opendistro/_security/ _plugins/_security/
anyway to force reload new certs

@infodata secruityadmin.sh tool doesn’t manage OpenSearch and OpenSearch Dashboards certificates. These must be configured either in opensearch.yml or opensearch_dashboards.yml files.

How did you deploy your cluster?

docker compose up with certs from local volume path
the certs are not being updated
I tried to move out files and dashboards do complain about missing .key file but somehow certs are cached and not taking new file input value
anyway to check where running cert on dashboards path or use from

@infodata How did you stop and start the docker-compose?

stop running containers

/bin/docker-compose -f /usr/share/opensearch/config/dc-dev-os-node1-ad.yml down


/bin/docker-compose -f /usr/share/opensearch/config/dc-dev-os-node1-ad.yml up -d

@infodata Do you use any persistent volumes with OpenSearch Dashboards container?

Have you tried to copy the certificate into the running OpenSearch Dashboards container and then restart that container?

Could you share your docker-compose file?

docker compose that works and cert file update does show up on another server very similar config with network volume which stores certs,configs

cat /usr/share/opensearch/config/dc-dev-os-node1-ad.yml
version: ‘3’
image: opensearchproject/opensearch:2.2.0
max-size: “20m”
max-file: “2”
#image: opensearchproject/opensearch:2.0.1
container_name: opensearch-node1
- cluster.name=opensearch-cluster
- node.name=opensearch-node1
- discovery.seed_hosts=opensearch-node1
- cluster.initial_master_nodes=opensearch-node1
- bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
- “OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m” # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
soft: -1
hard: -1
soft: 65536 # maximum number of open files for the OpenSearch user, set to at least 65536 on modern systems
hard: 65536
- /usr/share/opensearch/data:/usr/share/opensearch/data
- /usr/share/opensearch/config:/usr/share/opensearch/config
- /usr/share/opensearch/config/opensearch-security/config-ad.yml:/usr/share/opensearch/config/opensearch-security/config.yml
- /usr/share/opensearch/config/opensearch-ad.yml:/usr/share/opensearch/config/opensearch.yml
- 9200:9200
- 9600:9600 # required for Performance Analyzer
- opensearch-net

- opensearch-node1
image: opensearchproject/opensearch-dashboards:2.2.0
max-size: “20m”
max-file: “2”
#image: opensearchproject/opensearch-dashboards:2.0.1
container_name: opensearch-dashboards
- /usr/share/opensearch/config:/usr/share/opensearch/config
- /usr/share/opensearch/config/certs:/usr/share/opensearch/config/certs
- /usr/share/opensearch/config/opensearch_dashboards-ad.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
- 5601:5601
- “5601”
- opensearch-net


inside container able to see new files but is not showing up in https UI browser

$ docker exec -it 6b6e4db2e788 bash
[opensearch-dashboards@6b6e4db2e788 ~]$
[opensearch-dashboards@6b6e4db2e788 ~]$ cd config
[opensearch-dashboards@6b6e4db2e788 config]$ ls -l
total 16
-rw-r–r-- 1 opensearch-dashboards opensearch-dashboards 216 Aug 10 2022 node.options
-rw-r–r-- 1 opensearch-dashboards opensearch-dashboards 1151 Aug 10 2022 opensearch.example.org.cert
-rw-r–r-- 1 opensearch-dashboards opensearch-dashboards 1675 Aug 10 2022 opensearch.example.org.key
-rw------- 1 opensearch-dashboards opensearch-dashboards 1514 Apr 6 03:26 opensearch_dashboards.yml

[opensearch-dashboards@6b6e4db2e788 config]$ cd /usr/share/opensearch/config/certs

[opensearch-dashboards@6b6e4db2e788 certs]$ ls -l
total 16
-rw------- 1 opensearch-dashboards opensearch-dashboards 4795 Apr 4 18:05 digica.crt
drwxr-xr-x 2 opensearch-dashboards opensearch-dashboards 181 Apr 6 04:49 old
-rw------- 1 opensearch-dashboards opensearch-dashboards 2350 Mar 31 16:55 server.crt
-rw------- 1 opensearch-dashboards opensearch-dashboards 1704 Mar 31 16:55 server.key
[opensearch-dashboards@6b6e4db2e788 certs]$ df -h .
Filesystem Size Used Avail Use% Mounted on
/dev/nvme1n1 100G 48G 53G 48% /usr/share/opensearch/config/certs
[opensearch-dashboards@6b6e4db2e788 certs]$ cd
[opensearch-dashboards@6b6e4db2e788 ~]$ cd config
[opensearch-dashboards@6b6e4db2e788 config]$ grep crt opensearch_dashboards.yml
server.ssl.certificate: /usr/share/opensearch/config/certs/server.crt
opensearch.ssl.certificateAuthorities: [ “/usr/share/opensearch/config/certs/digica.crt” ]
[opensearch-dashboards@6b6e4db2e788 config]$ grep key opensearch_dashboards.yml
server.ssl.key: /usr/share/opensearch/config/certs/server.key

found there was old cert added on load balancer as this was running on instance behind lb
after load balancer cert was updated it showed new cert

1 Like