Apply configuration changes using securityadmin.sh

sharath · February 3, 2022, 5:44am

5:42:46.421 [opensearch[client][transport_worker][T#1]] ERROR org.opensearch.security.ssl.transport.SecuritySSLNettyTransport - Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: No name matching localhost found
javax.net.ssl.SSLHandshakeException: No name matching localhost found
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:369) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:312) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:307) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) ~[?:?]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1267) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1254) ~[?:?]
at java.security.AccessController.doPrivileged(AccessController.java:691) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1199) ~[?:?]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1548) ~[netty-handler-4.1.69.Final.jar:4.1.69.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1394) ~[netty-handler-4.1.69.Final.jar:4.1.69.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1235) ~[netty-handler-4.1.69.Final.jar:4.1.69.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1284) ~[netty-handler-4.1.69.Final.jar:4.1.69.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507) ~[netty-codec-4.1.69.Final.jar:4.1.69.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446) ~[netty-codec-4.1.69.Final.jar:4.1.69.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[netty-codec-4.1.69.Final.jar:4.1.69.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [netty-transport-4.1.69.Final.jar:4.1.69.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986) [netty-common-4.1.69.Final.jar:4.1.69.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.69.Final.jar:4.1.69.Final]
at java.lang.Thread.run(Thread.java:832) [?:?]
Caused by: java.security.cert.CertificateException: No name matching localhost found
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:234) ~[?:?]
at sun.security.util.HostnameChecker.match(HostnameChecker.java:103) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:452) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:426) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:292) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335) ~[?:?]
… 30 more
ERR: Cannot connect to OpenSearch. Please refer to opensearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{EJBNZeC_StqP_vEAwBr_fQ}{localhost}{127.0.0.1:9300}]]
at org.opensearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:381)
at org.opensearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:272)
at org.opensearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:79)
at org.opensearch.client.transport.TransportClient.doExecute(TransportClient.java:484)
at org.opensearch.client.support.AbstractClient.execute(AbstractClient.java:433)
at org.opensearch.client.support.AbstractClient.execute(AbstractClient.java:419)
at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:524)
at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:157)

Script : ./securityadmin.sh -cd …/securityconfig/ -icl-nhnv -cacert …/…/…/config/certs/root-ca.pem -cert …/…/…/config/certs/admin.pem -key …/…/…/config/certs/admin-key.pem

sharath · February 3, 2022, 5:47am

I have rectified the issue and solved the problem.

pablo · February 3, 2022, 2:05pm

@sharath thanks for the update. The securityadmin.sh by default connects with localhost. -h option allows choosing Elasticsearch hostname.

The hostname must match CN or SAN of Elastisearch’s SSL certificate

Simon · August 29, 2023, 8:23am

hi @sharath how did you fix it？i have the same trouble.

pablo · August 29, 2023, 4:31pm

@Simon Please open a new thread and share your securityadmin.sh command and the output.

Simon · August 31, 2023, 9:33am

hi @pablo thx for your reply.

lgrullonbb · November 11, 2025, 4:16pm

I adjusted my password via hash.sh, but I am not able to updat the backend…it keeps giving me an error related to SSL, even when I am using plain http. Please advise.

./securityadmin.sh -icl-nhnv -cacert /etc/opensearch/root-ca.pem -cert /etc/opensearch/kirk.pem -key /etc/opensearch/kirk-key.pem -h 10.123.80.97 Security Admin v7
Will connect to 10.123.80.97:9200 ... done
ERR: An unexpected IOException occured: Unrecognized SSL message, plaintext connection?
Trace:
java.io.IOException: Unrecognized SSL message, plaintext connection?
        at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:1348)
        at org.opensearch.client.RestClient.performRequest(RestClient.java:371)
        at org.opensearch.client.RestClient.performRequest(RestClient.java:359)
        at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:541)
        at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:154)
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
        at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:145)
        at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64)
        at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:610)
        at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:504)
        at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:480)
        at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:673)
        at org.apache.hc.core5.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:336)
        at org.apache.hc.core5.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:392)
        at org.apache.hc.core5.reactor.ssl.SSLIOSession.access$100(SSLIOSession.java:74)
        at org.apache.hc.core5.reactor.ssl.SSLIOSession$1.inputReady(SSLIOSession.java:203)
        at org.apache.hc.core5.reactor.InternalDataChannel.onIOEvent(InternalDataChannel.java:143)
        at org.apache.hc.core5.reactor.InternalChannel.handleIOEvent(InternalChannel.java:51)
        at org.apache.hc.core5.reactor.SingleCoreIOReactor.processEvents(SingleCoreIOReactor.java:176)
        at org.apache.hc.core5.reactor.SingleCoreIOReactor.doExecute(SingleCoreIOReactor.java:125)
        at org.apache.hc.core5.reactor.AbstractSingleCoreIOReactor.execute(AbstractSingleCoreIOReactor.java:92)
        at org.apache.hc.core5.reactor.IOReactorWorker.run(IOReactorWorker.java:44)
        at java.base/java.lang.Thread.run(Thread.java:1447)

pablo · November 11, 2025, 11:00pm

Hi @lgrullonbb, as per the error message securityadmin.sh expects SSL at 9200. It will fail to communicate with HTTP.

Which of these works in your environment?

curl --insecure -u admin:<password> https://10.123.80.97:9200

or

curl http://10.123.80.97:9200

lgrullonbb · November 17, 2025, 2:16pm

I am guetting the following output via curl:

curl http://10.123.80.97:9200
{
  "name" : "node1",
  "cluster_name" : "bsi-prd-cluster",
  "cluster_uuid" : "VDRQagj5RFa82Ug_BtHnQQ",
  "version" : {
    "distribution" : "opensearch",
    "number" : "3.3.2",
    "build_type" : "rpm",
    "build_hash" : "6564992150e26aaa62d4522a220dfff5188aeb88",
    "build_date" : "2025-10-29T22:24:10.265134377Z",
    "build_snapshot" : false,
    "lucene_version" : "10.3.1",
    "minimum_wire_compatibility_version" : "2.19.0",
    "minimum_index_compatibility_version" : "2.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

When I tried the same via https, I am getting the following:

curl --insecure -u admin:password https://10.123.80.97:9200
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

pablo · November 17, 2025, 2:56pm

@lgrullonbb Did you disable security plugin in this OpenSearch cluster?

lgrullonbb · November 17, 2025, 3:05pm

Yes, I have the security plugin disable

pablo · November 17, 2025, 8:13pm

@lgrullonbb So how do you want to update the security configuration with securityadmin.sh script when that plugin is disabled?

Security plugin must be enabled, with HTTP SSL set to true.

plugins.security.ssl.http.enabled: true

Topic		Replies	Views
./securityadmin.sh ERR: An unexpected IOException occured: Unrecognized SSL message, plaintext connection? Security install	9	1195	September 22, 2023
Error while executing securityadmin.sh in OS 1.2.4 Security security-issue	19	918	October 26, 2023
Securityadmin.sh errors when connecting opensearch through http Security troubleshoot	4	4439	June 2, 2022
OpenSearch Security not initialized.opensearch .\| [ERROR][o.o.s.s.t.SecuritySSLNettyTransport] [26275-7070770-stage-ipm-mdmp.ibm.com] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal error Security discuss , troubleshoot , configure , install , security-issue	7	1123	September 25, 2024
When trying to install and configure opensearch getting the below error Security troubleshoot , configure	6	220	August 16, 2024

Apply configuration changes using securityadmin.sh

Related topics