Using a purchased certificate for TLS

TomSummers · February 27, 2025, 3:08pm

Versions :

Opensearch: 2.19.0
Java: Embedded
OS: Rocky Linux 8
Installation Method: YUM repo

Describe the issue:
I’m trying to get a handle on OpenSearch for an upcoming move away from Elasticsearch, but I’m struggling to use our purchased SSL certificates to get things going. I see that you have to provide a list of trusted CA certs, but how do I do that with a cert that’s not self-signed? I’ve tried giving it a “blank” file for that option, but when I curl I get OpenSearch Security not initialized.

Configuration:

I’ve taken the default config and tried to pare it down as much as possible

path.data: /var/lib/opensearch
path.logs: /var/log/opensearch

cluster.name: blongus
action.auto_create_index: true

plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.pemcert_filepath: cert.pem
plugins.security.ssl.transport.pemkey_filepath: key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root.pem
plugins.security.ssl.transport.enforce_hostname_verification: false

plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: cert.pem
plugins.security.ssl.http.pemkey_filepath: key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root.pem

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
    .plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,
    .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,
    .plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,
    .opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,
    .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,
    .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,
    .opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
    .geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
    .plugins-flow-framework-state
]

Anthony · March 3, 2025, 8:54am

@TomSummers are you able to get a copy of the root CA and any intermediate CA used to sign the bought certificate. The concatenated version of certificate chain should be included in pemtrustedcas_filepath.

The trusted_cas.pem file would look like this:

-----BEGIN CERTIFICATE-----
(Root CA Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate CA Certificate)
-----END CERTIFICATE-----

Topic		Replies	Views
TLS configuration with organizational certs Security troubleshoot , configure	2	658	January 21, 2022
Opensearch security is asking for plugins.security.ssl.transport.truststore_filepath property to be set Security configure	10	7772	February 8, 2022
Self signed SSL integration for opensearch Security troubleshoot	3	998	March 26, 2022
Error in OpenSearch SSL Configuration Security configure	3	2609	March 25, 2022
Certificate configuration Error Security troubleshoot , configure	5	2156	June 26, 2023

Using a purchased certificate for TLS

Related topics