Hi!
I have two nodes. I made certificates like here Generate certificates - OpenSearch documentation.
Copy root-ca.pem and admin*.pem to machines and start nodes, but i have problem with tls and ssl handshake.
sa5uts-opm-1 opensearch.yml:
cluster.name: ops-1
action.auto_create_index: true
compatibility.override_main_response_version: true
node.name: ${HOSTNAME}
#node.roles: [ master ]
node.master: true
node.data: false
node.ingest: false
node.remote_cluster_client: true
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["172.29.39.179", "172.29.39.181"]
cluster.initial_master_nodes: ["172.29.39.179"]
plugins.security.ssl.transport.pemcert_filepath: admin.pem
plugins.security.ssl.transport.pemkey_filepath: admin-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: admin.pem
plugins.security.ssl.http.pemkey_filepath: admin-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
- 'CN=ADMIN,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
node.max_local_storage_nodes: 3
sa5uts-opd-1 opensearch.yml:
cluster.name: ops-1
action.auto_create_index: true
compatibility.override_main_response_version: true
node.name: sa5uts-opd-1
#node.roles: [ data, ingest, remote_cluster_client ]
node.master: false
node.data: true
node.ingest: true
node.remote_cluster_client: true
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["172.29.39.179", "172.29.39.181"]
cluster.initial_master_nodes: ["172.29.39.179"]
plugins.security.ssl.transport.pemcert_filepath: admin.pem
plugins.security.ssl.transport.pemkey_filepath: admin-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: admin.pem
plugins.security.ssl.http.pemkey_filepath: admin-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
- 'CN=ADMIN,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
node.max_local_storage_nodes: 3
sa5uts-opd-1 logs:
[2022-03-28T14:59:36,129][WARN ][o.o.d.HandshakingTransportAddressConnector] [sa5uts-opd-1] handshake failed for [connectToRemoteMasterNode[172.29.39.179:9300]]
org.opensearch.transport.RemoteTransportException: [sa5uts-opm-1][172.29.39.179:9300][internal:transport/handshake]
Caused by: org.opensearch.OpenSearchException: Illegal parameter in http or transport request found.
This means that one node is trying to connect to another with
a non-node certificate (no OID or security.nodes_dn incorrect configured) or that someone
is spoofing requests. Check your TLS certificate setup as described here: See https://opendistro.github.io/for-elasticsearch-docs/docs/troubleshoot/tls/
[2022-03-28T14:59:36,374][WARN ][o.o.c.c.ClusterFormationFailureHelper] [sa5uts-opd-1] master not discovered yet: have discovered [{sa5uts-opd-1}{oQBUjfC1Rp-nYzbeRjExiA}{5Io-iIbwSe-_qn7jqHwRHg}{172.29.39.181}{172.29.39.181:9300}{dir}{shard_indexing_pressure_enabled=true}]; discovery will continue using [172.29.39.179:9300] from hosts providers and [] from last-known cluster state; node term 0, last-accepted version 0 in term 0
[2022-03-28T14:59:37,131][WARN ][o.o.d.HandshakingTransportAddressConnector] [sa5uts-opd-1] handshake failed for [connectToRemoteMasterNode[172.29.39.179:9300]]
org.opensearch.transport.RemoteTransportException: [sa5uts-opm-1][172.29.39.179:9300][internal:transport/handshake]
Caused by: org.opensearch.OpenSearchException: Illegal parameter in http or transport request found.
This means that one node is trying to connect to another with
a non-node certificate (no OID or security.nodes_dn incorrect configured) or that someone
is spoofing requests. Check your TLS certificate setup as described here: See https://opendistro.github.io/for-elasticsearch-docs/docs/troubleshoot/tls/
sa5uts-opm-1 logs:
[2022-03-28T13:34:39,355][WARN ][o.o.t.TcpTransport ] [sa5uts-opm-1] exception caught on transport layer [Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=null}], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
As I understand, it should work with admin certs, but it don’t.
Can u explain me my mistake?