Cannot update admin password

panitia_kiamat · February 5, 2024, 2:01am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.11.0

Describe the issue:
Hi
i cannot update admin password
these are my step

generate hash password with tool hash.sh
update the hash from admin at internal_users
run securityadmin.sh

result
OpenSearch Version: 2.11.0
ERR: Seems you use a node certificate which is also an admin certificate
That may have worked with older OpenSearch Security versions but it indicates
a configuration error and is therefore forbidden now.
OpenSearch Version: 2.11.0
Contacting opensearch cluster ‘opensearch’ and wait for YELLOW clusterstate …
Clustername: prod-opensearch
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 3
.opendistro_security index already exists, so we do not need to create one.
Populate config from /data/opensearch/opensearch-2.11.0/plugins/opensearch-security/tools
Will update ‘/config’ with /data/opensearch/opensearch-2.11.0/config/opensearch-security/config.yml
SUCC: Configuration for ‘config’ created or updated
SUCC: Expected 1 config types for node {“updated_config_types”:[“config”],“updated_config_size”:1,“message”:null} is 1 ([“config”]) due to: null
SUCC: Expected 1 config types for node {“updated_config_types”:[“config”],“updated_config_size”:1,“message”:null} is 1 ([“config”]) due to: null
SUCC: Expected 1 config types for node {“updated_config_types”:[“config”],“updated_config_size”:1,“message”:null} is 1 ([“config”]) due to: null
Done with success

Configuration:

Relevant Logs or Screenshots:
There is this error
ERR: Seems you use a node certificate which is also an admin certificate
That may have worked with older OpenSearch Security versions but it indicates
a configuration error and is therefore forbidden now.

but previously it works when i update saml_auth_domain at /config/opensearch-security/config.yml

pablo · February 29, 2024, 9:50pm

Based on that error, you’ve used the same certificate for the node and admin_dn in opensearch.yml. Please use separate certificates.

The below example is the default demo opensearch.yml file. In this file the esnode.pem cert is used only for SSL server communication. The admin_dn has a different certificate configured.

plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem

plugins.security.authcz.admin_dn: ['CN=kirk,OU=client,O=client,L=test,C=de']

As per the error, using the same certificate for admin_dn and node is forbidden.

Topic		Replies	Views
Cannot change default password for Admin OS 1.2.3 Security configure	5	729	January 12, 2022
How to update admin password in internal_user.yml file without losing the existing users OpenSearch troubleshoot , upgrade	4	1574	August 8, 2023
Problem with the default admin Passwort OpenSearch	19	9211	May 19, 2024
How to change admin password with ssl disabled? Security	3	380	January 22, 2024
Change admin user password without running hash.sh OpenSearch configure	3	176	August 13, 2024

Cannot update admin password

Related topics