Open reneradoi opened 1 week ago
Thank you @reneradoi, it is known issue. We are planning to add https://github.com/opensearch-project/security/issues/4427 as a first step to fix hot reload problem.
Hi @willyborankin I'm not sure if it's the same issue. The feature request you linked is about the ssl reload only being performed on the corrdinator node instead of the whole cluster, but in this issue I'm encountering the certs cannot be reloaded at all, also not to a single node.
As far as I've debugged this is because of a sorting operation when validating the new cert against the current one (reg. issuer, subject and sans).
Hi @reneradoi, agree my comment is misleading sorry about that.
[Triage] Hi @reneradoi thank you for filing this issue. Looks like a real issue, and something that should be fixed. Going to mark as triaged.
I'm working on hot reload, so will try to fix this one as well.
What is the bug? As part of the TLS cert renewal process I want to use the REST API for hot reload of transport and http certificates. When reloading the already used certificates, everything works fine (response code 200). But when I want to apply newly generated, self signed certificates, I always run into the same exception telling me that new certs do not have valid Issuer DN, Subject DN or SAN.
I’ve checked my configuration and the validity of the certs, everything seems to be fine here. If the application is restarted, the new certs are also picked up without any issue. Only reloading via the API produces this error.
How can one reproduce the bug? Steps to reproduce the behavior:
DNSName
in the Subject Alternative Names section_plugins/_security/api/ssl/transport/reloadcerts
What is the expected behavior?
200
What is your host/environment?
Do you have any screenshots? API response:
Server logfile:
Do you have any additional context? Relevant part of the config file
opensearch.yml
:I did a lot of debugging on this, output (incl. the current and new cert) can be found here. The essential part is this: When comparing the SAN lists of the current and the new cert, the maps are being sorted. This sort function breaks:
It's happening an this position in the source code: https://github.com/opensearch-project/security/blob/3dae7a75692b058a460aa2a9dda1d0aa5faae0ef/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java#L675-L679