Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch version: 2.12
Describe the issue:
I recently tried working on opensearch as a PoC for my project. I generated new pem files for SSL and I am unable to curl to the server.
The error I get is:
* Rebuilt URL to: https://localhost:9200/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* stopped the pause stream!
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Note: I have another node running mapped to a different port which is working fine (I haven’t modified its opensearch.yml, and it’s running the demo setup).
Configuration:
openseach.yml:
---
cluster.name: docker-cluster
# Bind to all interfaces because we don't know what IP address Docker will assign to us.
network.host: 0.0.0.0
# # minimum_master_nodes need to be explicitly set when bound on a public IP
# # set to 1 to allow single node clusters
# discovery.zen.minimum_master_nodes: 1
# Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
# discovery.type: single-node
######## Start OpenSearch Security Demo Configuration ########
plugins.security.ssl.transport.pemcert_filepath: node1.pem
plugins.security.ssl.transport.pemkey_filepath: node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: node1.pem
plugins.security.ssl.http.pemkey_filepath: node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
- CN=Opensearch,OU=Development,O=<company_name>,L=Delhi,C=IN
plugins.security.nodes_dn:
- 'CN=Opensearch,OU=Development,O=<company_name>,L=Delhi,C=IN'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
opendistro_security.audit.config.disabled_rest_categories: NONE
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-config, .plugins-ml-connector,
.plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task, .plugins-ml-conversation-meta,
.plugins-ml-conversation-interactions, .plugins-ml-memory-meta, .plugins-ml-memory-message,
.opendistro-alerting-config, .opendistro-alerting-alert*, .opendistro-anomaly-results*,
.opendistro-anomaly-detector*, .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state,
.opendistro-reports-*, .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability,
.ql-datasources, .opendistro-asynchronous-search-response*, .replication-metadata-store,
.opensearch-knn-models, .geospatial-ip2geo-data*, .plugins-flow-framework-config,
.plugins-flow-framework-templates, .plugins-flow-framework-state]
#node.max_local_storage_nodes: 3
#opensearch_performance_analyzer.collection_enabled: true
#opensearch_performance_analyzer.exporter_enabled: true
#opensearch_performance_analyzer.exporter_jmx_use_rmi: true
#opensearch_performance_analyzer.collection_interval: 10000
#opensearch_performance_analyzer.exporter_export_internals: true
#opensearch_performance_analyzer.collection_cgroup_path: /sys/fs/cgroup
#opensearch_performance_analyzer.exporter_jmx_host: localhost
#opensearch_performance_analyzer.exporter_jmx_port: 7199
#opensearch_performance_analyzer.exporter_jmx_csv_export_folder: performance_analyzer_csv_export
######## End OpenSearch Security Configuration ########
docker-compose:
version: '3'
services:
opensearch-node1: # This is also the hostname of the container within the Docker network (i.e. https://opensearch-node1/)
image: opensearchproject/opensearch:latest # Specifying the latest available image - modify if you want a specific version
container_name: opensearch-node1
environment:
- cluster.name=opensearch-cluster # Name the cluster
- node.name=opensearch-node1 # Name the node that will run in this container
- discovery.seed_hosts=opensearch-node1,opensearch-node2 # Nodes to look for when discovering the cluster
- cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2 # Nodes eligible to serve as cluster manager
- bootstrap.memory_lock=true # Disable JVM heap memory swapping
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # Set min and max JVM heap sizes to at least 50% of system RAM
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD} # Sets the demo admin user password when using demo configuration, required for OpenSearch 2.12 and later
ulimits:
memlock:
soft: -1 # Set memlock to unlimited (no soft or hard limit)
hard: -1
nofile:
soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536
hard: 65536
volumes:
- opensearch-data1:/usr/share/opensearch/data # Creates volume called opensearch-data1 and mounts it to the container
ports:
- 4010:9200 # REST API
- 9600:9600 # Performance Analyzer
networks:
- opensearch-net # All of the containers will join the same Docker bridge network
opensearch-node2:
image: opensearchproject/opensearch:latest # This should be the same image used for opensearch-node1 to avoid issues
container_name: opensearch-node2
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch-node2
- discovery.seed_hosts=opensearch-node1,opensearch-node2
- cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2
- bootstrap.memory_lock=true
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
- "DISABLE_INSTALL_DEMO_CONFIG=true" # Prevents execution of bundled demo script which installs demo certificates and security configurations to OpenSearch
- "DISABLE_SECURITY_PLUGIN=true" # Disables Security plugin
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
- ./certs/admin.pem:/usr/share/opensearch/config/admin.pem
- ./certs/admin-key.pem:/usr/share/opensearch/config/admin-key.pem
- ./certs/node1.pem:/usr/share/opensearch/config/node1.pem
- ./certs/node1-key.pem:/usr/share/opensearch/config/node1-key.pem
- ./opensearch.yml:/usr/share/opensearch/config/opensearch.yml
- opensearch-data2:/usr/share/opensearch/data
ports:
- 9200:9200 # REST API
- 9601:9600 # Performance Analyzer
networks:
- opensearch-net
opensearch-dashboards:
image: opensearchproject/opensearch-dashboards:latest # Make sure the version of opensearch-dashboards matches the version of opensearch installed on other nodes
container_name: opensearch-dashboards
ports:
- 5601:5601 # Map host port 5601 to container port 5601
expose:
- "5601" # Expose port 5601 for web access to OpenSearch Dashboards
environment:
OPENSEARCH_HOSTS: '["https://opensearch-node1:9200","https://opensearch-node2:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query
networks:
- opensearch-net
depends_on:
- opensearch-node1
- opensearch-node2
volumes:
opensearch-data1:
opensearch-data2:
networks:
opensearch-net:
external: true
name: opensearch-net
Relevant Logs or Screenshots: