How to setup https/ssl with nodejs client

[setiah]

Creating this on behalf of a user facing issues setting up the nodejs client to communicate with security enabled OpenSearch cluster setup via docker.

[DanielGillett]

Thanks Setiah for starting this issue. I sent you this via email and I'm now posting the issue I have here.

I am trying to create a client to use/interact with OpenSearch and when I go to run my client against OpenSearch, I get errors relating to 'ca_certs_path'. ...I'm not trusted.

Let me start by explaining the basics...

• Windows 10 (running Docker Desktop on WSL)
• Bash
• docker-compose (fround from https://opensearch.org/docs/latest#docker-quickstart)
• client/tools example -> https://opensearch.org/docs/latest/clients/javascript/

My Steps...

1. I create a new folder for opensearch/
2. Open my Bash terminal in in the opensearch directory
   • increate the WSL Ram -> wsl -d docker-desktop sysctl -w vm.max_map_count=262144
3. I copy & paste the docker-compose file.
   • run the docker file -> docker-compose up
4. Then I go to make my coffee (tea)
5. When the terminal appears to be finsihed I start a new terminal to run some checks: To make sure things are running I send some curl commands to OpenSearch
   • curl -XGET https://localhost:9200/_cat/nodes?v -u 'admin:admin' –insecure
   • curl -XGET https://localhost:9200/_cluster/health?v -u 'admin:admin' –insecure
   • curl -XGET https://localhost:9200/_cat/indices?v -u 'admin:admin' –insecure
6. I then go and log into the OpenSearch dashboard
   • http://localhost:5601
   • login -> admin : admin
7. If everything is working I get started with the javascript client example: (the problem I have would be the same for any of the client types (Java, Go, Python, etc.)
   • I follow the javascript example from the client page (mentioned above)

Here is where my problem is: In the sample code, one of the variables is acking for the path to the "root-ca.pem". I do not know how to set this up from Windows to use in my nodejs client example.. Apparently I need to generate this somehow and save it somewhere.

Thanks very much! Daniel

[setiah]

Thanks for the details.

The nodejs client is unable to connect to OpenSearch cluster because by default the client does not trust the "self-signed certificates" used on the server side, causing it to throw errors like

project/opensearch/lib/Connection.js:126:16)
    at ClientRequest.emit (events.js:198:13)
    at TLSSocket.socketErrorListener (_http_client.js:401:9)
    at TLSSocket.emit (events.js:198:13)
    at emitErrorNT (internal/streams/destroy.js:91:8)
    at emitErrorAndCloseNT (internal/streams/destroy.js:59:3)
    at process._tickCallback (internal/process/next_tick.js:63:19)
  name: 'ConnectionError',

To make it work, you will need to set the certification authority in client ssl configuration to the root-ca.pem file.

var ca_certs_path = "/full/path/to/root-ca.pem";

See ^ in example - https://opensearch.org/docs/latest/clients/javascript/

The docker image has root-ca.pem wrapped in during image creation, unlike the non-docker distribution where users are expected to setup demo-certs themselves using the install_demo_configuration.sh tool. This tool generates the root-ca.pem and other cert files on local system, where you can point your clients. However, in case of docker distribution, these demo certs are setup during image creation phase itself (see docker-entrypoint.sh), so users can just run “docker-compose up” and be done with it. This difference in behavior can be confusing.

For now, users can create a root-ca.pem file with contents from here or copy it from inside docker container /usr/share/opensearch/config/root-ca.pem). You can copy this exact piece in a root-ca.pem file anywhere on your local machine with -rw-r--r-- permissions and point that to the nodejs client. It should work.

Thanks for bringing this to our attention. We'll fix these gaps in the nodejs client side documentation https://github.com/opensearch-project/documentation-website/issues/245

[metaskills]

I've been doing this. My devcontainer is node:18-bookworm

  opensearch = new Client({
    node: "https://admin:admin@opensearch:9200",
    ssl: {
      ca: fs.readFileSync("/etc/ssl/certs/Comodo_AAA_Services_root.pem"),
      rejectUnauthorized: false,
    },
  });

[AMoo-Miki]

ssl.ca shouldn't be needed. This is what I use:

import { Client } from '@opensearch-project/opensearch';

const osClient= new Client({
  node: 'https://hostname-or-ip:9200',
  auth: {
    username: '....',
    password: '....'
  },
  ssl: {
    rejectUnauthorized: false
  }
});

If you are connecting to OpenSearch from a different machine, make sure OpenSearch is listening on 0.0.0.0 or an external IP of the machine.

[dblock]

[Triage -- attendees 1, 2, 3, 4, 5, 6, 7]

This is a valid question, would be great if someone (maybe @metaskills?) could contribute a SSL guide into guides/.