Using a purchased certificate for TLS

Versions :

  • Opensearch: 2.19.0
  • Java: Embedded
  • OS: Rocky Linux 8
  • Installation Method: YUM repo

Describe the issue:
I’m trying to get a handle on OpenSearch for an upcoming move away from Elasticsearch, but I’m struggling to use our purchased SSL certificates to get things going. I see that you have to provide a list of trusted CA certs, but how do I do that with a cert that’s not self-signed? I’ve tried giving it a “blank” file for that option, but when I curl I get OpenSearch Security not initialized.

Configuration:

I’ve taken the default config and tried to pare it down as much as possible

path.data: /var/lib/opensearch
path.logs: /var/log/opensearch

cluster.name: blongus
action.auto_create_index: true

plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.pemcert_filepath: cert.pem
plugins.security.ssl.transport.pemkey_filepath: key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root.pem
plugins.security.ssl.transport.enforce_hostname_verification: false

plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: cert.pem
plugins.security.ssl.http.pemkey_filepath: key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root.pem

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
    .plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,
    .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,
    .plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,
    .opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,
    .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,
    .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,
    .opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
    .geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
    .plugins-flow-framework-state
]
1 Like

@TomSummers are you able to get a copy of the root CA and any intermediate CA used to sign the bought certificate. The concatenated version of certificate chain should be included in pemtrustedcas_filepath.

The trusted_cas.pem file would look like this:

-----BEGIN CERTIFICATE-----
(Root CA Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate CA Certificate)
-----END CERTIFICATE-----

Had some time off and was then on other projects, but I try never to leave a thread hanging.

Our registrar provides the cert and chain in separate PEM files. So I just needed to concatenate those and feed it in as pemcert.filepath. The pemtrustedcas_filepath was downloaded from the registrar in PEM format and worked.

My real problem was I hadn’t run securityadmin.sh to set things up, I’d made sure to remove all the demo items before starting the server (that should really be a flag for the RPM repo version). One wrinkle is that securityadmin.sh must have the key in pk8 format, which I was able to create with.

openssl pkcs8 -topk8 -inform PEM -in /etc/opensearch/key.pem -out /etc/opensearch/key.p8 -nocrypt

I realise this means I’m using the same key for both node and admin, but who’s going to get a separate cert for every function?

3 Likes

@TomSummers thank you for coming back and updating the community on the resolution - greatly appreciated!