How to use secure configuration of dockerized OpenSearch?

Question

I have a dedicated server with running OpenSearch in Docker. I'm using example configuration without dashboard:

version: '3'
services:
  opensearch-node1: # This is also the hostname of the container within the Docker network (i.e. https://opensearch-node1/)
    image: opensearchproject/opensearch:latest # Specifying the latest available image - modify if you want a specific version
    container_name: opensearch-node1
    environment:
      - cluster.name=opensearch-cluster # Name the cluster
      - node.name=opensearch-node1 # Name the node that will run in this container
      - discovery.seed_hosts=opensearch-node1,opensearch-node2 # Nodes to look for when discovering the cluster
      - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2 # Nodes eligible to serve as cluster manager
      - bootstrap.memory_lock=true # Disable JVM heap memory swapping
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # Set min and max JVM heap sizes to at least 50% of system RAM
    ulimits:
      memlock:
        soft: -1 # Set memlock to unlimited (no soft or hard limit)
        hard: -1
      nofile:
        soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536
        hard: 65536
    volumes:
      - opensearch-data1:/usr/share/opensearch/data # Creates volume called opensearch-data1 and mounts it to the container
    ports:
      - 9200:9200 # REST API
      - 9600:9600 # Performance Analyzer
    networks:
      - opensearch-net # All of the containers will join the same Docker bridge network
  opensearch-node2:
    image: opensearchproject/opensearch:latest # This should be the same image used for opensearch-node1 to avoid issues
    container_name: opensearch-node2
    environment:
      - cluster.name=opensearch-cluster
      - node.name=opensearch-node2
      - discovery.seed_hosts=opensearch-node1,opensearch-node2
      - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2
      - bootstrap.memory_lock=true
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - opensearch-data2:/usr/share/opensearch/data
    networks:
      - opensearch-net
  
volumes:
  opensearch-data1:
  opensearch-data2:

networks:
  opensearch-net:

OpenSearch is working with SSL (self-signed as I understand). When I'm trying to query from outside locally with curl:

curl -XGET https://127.0.0.1:9200 -u 'admin:admin' -v

It shows me an error:

curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 127.0.0.1:9200 

What's wrong? How to work with secured version of OpenSearch?

Answer 1

As you can see in "Getting started with cross-cluster replication", all the curls are done with -k, to side-step the certificate check.

Even opensearch-project/OpenSearch issue 1633 ("Provide a certificate management tool for opensearch distributions ") includes a script with:

To access your secured cluster open https://<hostname>:<HTTP port>
and log in with admin/admin.  
Example:

    curl -k https://localhost:9200 -u admin:admin

(Ignore the SSL certificate warning because we installed self-signed certificates)

---

But you could also follow the "Generating self-signed certificates" documentation page, which addresses this issue:

If you don’t have access to a certificate authority (CA) for your organization and want to use OpenSearch for non-demo purposes, you can generate your own self-signed certificates using OpenSSL.

It involves creating a self-signed certificate, but also an admin certificate.

Then you can add certificate files to opensearch.yml