Closed cwperks closed 1 year ago
[Triage] The outcome of this would require generating a new set of certificates. The steps to generate new certificates can be found online and in past PRs to generate certs.
FYI if the Demo Certificates are replaced then new hashes need to be added here: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java#L305-L319
Edit: The history of demo certs should be kept since any demo cert is widely known. Anyone can easily lookup old demo certs through git history.
@DarshitChanpura Can you reply back with the commands to generate the cert checksums when you figure it out?
NOTE: Since this required adding a new value to SAN for node certificates, I had to end up generating a new set of demo certs.
curl -XGET https://admin:admin@localhost:9200/ -k
b. curl IPv6 - curl -XGET https://admin:admin@\[::1\]:9200/ -k
No subject alternative names matching IP address ::1 found
)
a. Created a zip for 2.10.0.0-SNAPSHOT for security and placed it under bwc-test/src/test/resources/2.10.0.0/
b. Replaced kirk.pem
, kirk-key.pem
, esnode.pem
, esnode-key.pem
and root-ca.pem
under bwc-test/src/test/resources/security/
with newly generated certificates
c. Ran bwcTestSuite
taskUpdate: I was able to have plugin-install running for Ubuntu. but still facing trouble with windows
Update2: I was able to solve windows issue by running: openssl s_client -connect localhost:9200
and verifying that the node certificate returned by windows machine was not correct. As a fix, I modified demo install script to replace with the correct certificates.
The demo
esnode.pem
certificate (defined here) does not include::1
as a subject alternate name which has caused issues running the backwards compatibility tests with the security plugin installed.The IPv6 loopback address can be added in an ext file using openssl like this: