Tarball install security error

I’m getting the same error described in the post: OpenSearch ssl exception (tar).

The error is:

Caused by: org.opensearch.OpenSearchException: plugins.security.ssl.transport.keystore_filepath or plugins.security.ssl.transport.server.pemcert_fil
epath and plugins.security.ssl.transport.client.pemcert_filepath must be set if transport ssl is requested.

I’m not using the keystore so I believe it’s telling me that I should configure the following:

plugins.security.ssl.transport.server.pemcert_filepath:
plugins.security.ssl.transport.client.pemcert_filepath:

But following the documentation for the security plugin I ended up with the the following similar configuration:

plugins.security.ssl.transport.pemcert_filepath: opensearch-master-010.pem
plugins.security.ssl.transport.pemkey_filepath: opensearch-master-010.key

I’m not sure what’s up with the “client” and “server” pemcert filepaths described in the error but I didn’t see anything about it in the documentation.

I did some research and in the security plugin code in OpenSearchSecuritySSLPlugin.java it looks like - if(extendedKeyUsageEnabled) - it will look for the server and client file paths, but if not, it will look for what I’ve configured.

I tried disabling extended key usage with plugins.security.ssl.transport.extended_key_usage_enabled: false but that didn’t work. It also looks like extended key usage is disabled by default. So I’m not able to figure out why this is happening.

Any ideas?

We use this configuration:

plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.pemcert_filepath: node.crt
plugins.security.ssl.transport.pemkey_filepath: node-pkcs8.key
plugins.security.ssl.transport.pemtrustedcas_filepath: rootCA.crt
plugins.security.ssl.transport.enforce_hostname_verification: true
plugins.security.ssl.http.pemcert_filepath: node.crt 
plugins.security.ssl.http.pemkey_filepath: node-pkcs8.key
plugins.security.ssl.http.pemtrustedcas_filepath: full-rootCA-bundle.crt

The ‘client’ and ‘server’ entries didn’t work … but this has been in operations now for several months. We’re using a straight tarball install with very little customization.

One note – remember that all keys must be pkcs8 format – that tripped us up for a while at first.

Hope this works! :slight_smile:

1 Like

first u need run opensearch-tar-install.sh, security plugin config demo will be auto generated :slight_smile:

I’m using the SearchGuard tlstool to create the keys and csr’s, and then using openssl to create the certificates using my own private root CA chain. As far as I understand it, the tlstool will create the keys in pkcs8 format and then creating the certs with openssl should be fine, unless I’m missing something.

@DrEdWilliams - thank you for posting your config. Mine is basically the same so I’m definitely missing something here.

I’ll continue to debug…

@slynch - the paranoid part of me would want to verify that the certs and keys are in good shape …

openssl verify -verbose -CAfile <CA cert> <node cert>

… and of course to see what is in the certs:

openssl x509 -text -noout -in <cert file>

One thing that makes me wonder is the fact that it doesn’t seem to recognize that you provided a cert at all … maybe check the permissions on the cert/key files to make sure your opensearch process can read it (something that we stumbled across since we are running everything as user ‘opensearch’)

@feng - Agreed that the simplest way is to run the opensearch-tar-install.sh script with NO CERTS in the opensearch.yml file … let it create and initialize everything in the demo configuration … then replace the demo certs in the config file with your certs and restart.

I will be working on a better script, though, since I will have to use the tarball when we move to production (despite the discussion in another topic – I will not be able to use the RPM distribution when it is available). It seems odd to have to create stuff and throw them away …

Ok I figured the problem and I’m disappointed because it was a dumb error on my part.

During my install I decided to use /etc/opensearch as the config directory since I was always used to /etc/elasticsearch previously. But I neglected to specify this location with OPENSEARCH_PATH_CONF. Since I’m used to this aspect of the install being taken care of by the install package, it never occurred to me that I can’t just change it without telling the program. :roll_eyes: The error I was receiving was because it was just looking at the default config location from the tarball install and not my config in /etc/opensearch.

So I moved my config to the normal location for the tarball (<InstallDir>/config) and now all is working.

1 Like