Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add hot reload TLS certificate section #433 #6875

Merged
merged 8 commits into from
Apr 18, 2024
Merged

Add hot reload TLS certificate section #433 #6875

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
9ad86dd
adding hot reload TLS certificate section #433
AntonEliatra Apr 4, 2024
c5afdc2
fixing issues on hot reload #433
AntonEliatra Apr 4, 2024
89354ff
Merge branch 'main' into adding-hot-reload-certificate
Naarcha-AWS Apr 5, 2024
6f47374
Update tls.md
AntonEliatra Apr 8, 2024
3ac3126
Apply suggestions from code review
AntonEliatra Apr 15, 2024
15c8026
Apply suggestions from code review
AntonEliatra Apr 17, 2024
7b42bee
Update tls.md
AntonEliatra Apr 17, 2024
cf128d9
Merge branch 'main' into adding-hot-reload-certificate
Naarcha-AWS Apr 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions _api-reference/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ This reference includes the REST APIs supported by OpenSearch. If a REST API is
- [Supported units]({{site.url}}{{site.baseurl}}/api-reference/units/)
- [Tasks]({{site.url}}{{site.baseurl}}/api-reference/tasks/)
- [Transforms API]({{site.url}}{{site.baseurl}}/im-plugin/index-transforms/transforms-apis/)
- [Hot reload TLS certificates]({{site.url}}{{site.baseurl}}/security/configuration/tls/#hot-reloading-tls-certificates)



40 changes: 40 additions & 0 deletions _security/configuration/tls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -226,3 +226,43 @@
* plugins.security.ssl.transport.truststore_password_secure

These settings allow for the use of encrypted passwords in the settings.

## Hot reloading TLS certificates

Updating expired or nearly expired TLS certificates does not require restarting the cluster. Instead, enable hot reloading of TLS cerificates by adding the following line to `opensearch.yml`:


`plugins.security.ssl_cert_reload_enabled: true`

This setting is `false` by default.
{: .note }

After enabling hot reloading, use the Reload Certificates API to replace the expired certificates. The API expects the old certificates to be replaced with valid certificates issued with the same `Issuer/Subject DN` and `SAN`. The new certificates also need be stored in the same location as the previous certificates in order to prevent any changes to the `opensearch.yml` file.

Only a [superadmin]({{site.url}}{{site.baseurl}}/security/configuration/tls/#configuring-admin-certificates) can use the Reload Certificates API.

Check failure on line 242 in _security/configuration/tls.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.Spelling] Error: superadmin. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.

Raw Output:
{"message": "[OpenSearch.Spelling] Error: superadmin. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.", "location": {"path": "_security/configuration/tls.md", "range": {"start": {"line": 242, "column": 9}}}, "severity": "ERROR"}
{: .note }

### Reload TLS certificates on the transport layer
The following command reloads TLS certificates on the transport layer:

```json
AntonEliatra marked this conversation as resolved.
Show resolved Hide resolved
curl --cacert <ca.pem> --cert <admin.pem> --key <admin.key> -XPUT https://localhost:9200/_plugins/_security/api/ssl/transport/reloadcerts
```
{% include copy.html %}

You should receive the following response:
```{ "message": "successfully updated transport certs"}```

### Reload TLS certificates on the http layer

Check failure on line 256 in _security/configuration/tls.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.Spelling] Error: http. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.

Raw Output:
{"message": "[OpenSearch.Spelling] Error: http. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.", "location": {"path": "_security/configuration/tls.md", "range": {"start": {"line": 256, "column": 36}}}, "severity": "ERROR"}

The following command reloads TLS certificates on the `http` layer:

```json
curl --cacert <ca.pem> --cert <admin.pem> --key <admin.key> -XPUT https://localhost:9200/_plugins/_security/api/ssl/http/reloadcerts
```
{% include copy.html %}

You should receive the following response:

```{ "message": "successfully updated http certs"}```

Loading