smortex
commented
1 year ago There seems to be work in progress to rework the mess of these "demo" certs: https://github.com/opensearch-project/opensearch-build/issues/1649
I think it is better for us to wait for the fix in upsteam before integrating this in the module rather that hacking something now and having to break it one more time in the future.
You can have these files laying around but not being referenced in your configuration file and OS will behave as expected. Not ideal, but I guess this is a compromise for the current time.
There is no option to remove demo certificate files. So if you set plugins.security.allow_unsafe_democertificates to false, the opensearch service won't start (even if these certificates are not used in the configuration). (It may only concern deployment with RPM) Files that should be removed from /etc/opensearch: