-
Notifications
You must be signed in to change notification settings - Fork 259
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Starting v2.12 - plugins.security.ssl.http.enabled cannot be set to false #4348
Comments
@c3-davidtran When using the If you wish to disable HTTPS, then I recommend to first run the the |
[Triage] @c3-davidtran can you make a post in the forums to get some more assistance there? Or please re-open this issue with additional concerns if you think this is a bug. |
@cwperks Thank you for clarifying. @derek-ho I wouldn't say it's a bug, but for users who, like me, use the demo certs for transport TLS and disable REST TLS, that new behaviour breaks our opensearch upgrade flow because additional steps have to be done. |
@c3-davidtran There is no renewal process for demo certificates. The demo certificates are static and widely known. They can change between minor versions, but are only meant to be used for demonstration purposes to show how to configure a cluster securely. The process for generating self-signed certs from be found in the DEVELOPER_GUIDE: https://github.com/opensearch-project/security/blob/main/DEVELOPER_GUIDE.md#refreshing-demo-certificates |
@cwperks Got it. I was actually concerned of what would happen if they change between minor versions as you implied. TLDR more context; |
Describe the bug
Following upgrade to opensearch 2.12, the demo internal certificates are no longer created when plugins.security.ssl.http.enabled is set to false in opensearch.yml file.
This is a regression compared to previous versions where the demo certificates were created and used for transport layer.
Related component
Plugins
To Reproduce
Update the config opensearch.yml content with plugins.security.ssl.http.enabled: false.
Notice the security plugin will run with log :
/usr/share/opensearch/config/opensearch.yml seems to be already configured for Security. Quit.
Then no demo certificate is created.
Deployment will fail with error :
installation fails with error OpenSearchException[Unable to read /usr/share/opensearch/config/esnode.pem (/usr/share/opensearch/config/esnode.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath]
Expected behavior
Do not append additional plugins.security configuration if they have been provided by end users.
But still create the demo certificates unless DISABLE_INSTALL_DEMO_CONFIG is set to true
Additional Details
Plugins
Please list all plugins currently enabled.
Screenshots
If applicable, add screenshots to help explain your problem.
Host/Environment (please complete the following information):
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: