Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearchproject/opensearch-dashboards:2.18.0
Describe the issue: I am using self signed certificates which I have created using OpenSearch documentation. However, I am encountering a certificate mismatch error, even though the certificates are a matching pair. I first created the root-ca-key.pem and then used the same key to generate root-ca.pem.
Configuration:
Opensearch_dashboards.yml
opensearch.hosts: [https://localhost:9200]
opensearch.ssl.verificationMode: certificate
opensearch.username: admin
opensearch.password: Alohomora@3127
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
server.ssl.enabled: true
opensearch.ssl.key: /usr/share/opensearch-dashboards/config/esnode-key.pem
opensearch.ssl.certificate: /usr/share/opensearch-dashboards/config/esnode.pem
server.ssl.cipherSuites: [“TLS_AES_128_GCM_SHA256”, “TLS_AES_256_GCM_SHA384”, “ECDHE-RSA-AES128-GCM-SHA256”, “ECDHE-RSA-AES256-GCM-SHA384”]
opensearch.ssl.alwaysPresentCertificate: true
server.ssl.certificate: /usr/share/opensearch-dashboards/config/esnode.pem
server.ssl.key: /usr/share/opensearch-dashboards/config/esnode-key.pem
opensearch.ssl.certificateAuthorities: [ “/usr/share/opensearch-dashboards/config/esnode.pem” ]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
opensearch_security.cookie.secure: true
server.host: ‘0.0.0.0’
docker-compose.yml file:
services:
opensearch:
image: opensearchproject/opensearch:2.18.0
container_name: opensearch
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch
- discovery.seed_hosts=opensearch
- discovery.type=single-node
- bootstrap.memory_lock=true
- OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m
- DISABLE_SECURITY_PLUGIN=false
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=Alohomora@3127
- OPENSEARCH_HTTP_SSL_ENABLED=true
volumes:
- ./root-ca.pem:/usr/share/opensearch/config/root-ca.pem
- ./root-ca-key.pem:/usr/share/opensearch/config/root-ca-key.pem
ports:
- 9200:9200
- 9600:9600
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
networks:
- apigwosdash
osdash:
image: opensearchproject/opensearch-dashboards:2.18.0
container_name: osdash
environment:
- OPENSEARCH_HOSTS=https://opensearch:9200
- DISABLE_SECURITY_DASHBOARDS_PLUGIN=false
- OPENSEARCH_SSL_VERIFICATION_MODE=full # Ensure SSL verification is enabled
#- OPENSEARCH_SSL_CERTIFICATEAUTHORITIES=/usr/share/opensearch-dashboards/config/root-ca.pem
#- SERVER_BASEPATH=/apigatewayui/dashboardproxy
- OPENSEARCH_USERNAME=admin
- OPENSEARCH_PASSWORD=Alohomora@3127
- SERVER_SSL_ENABLED=true
- SERVER_SSL_CLIENTAUTHENTICATION=required
- SERVER_SSL_CERTIFICATE=/usr/share/opensearch-dashboards/config/esnode.pem
- SERVER_SSL_KEY=/usr/share/opensearch-dashboards/config/esnode-key.pem
volumes:
- ./root-ca.pem:/usr/share/opensearch-dashboards/config/esnode.pem
- ./root-ca-key.pem:/usr/share/opensearch-dashboards/config/esnode-key.pem
- ./opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
depends_on:
- opensearch
ports:
- 5601:5601
networks:
- apigwosdash
networks:
apigwosdash:
name: apigwosdash
Relevant Logs or Screenshots:
{“type”:“log”,“@timestamp”:“2025-03-10T05:42:31Z”,“tags”:[“info”,“plugins-service”],“pid”:1,“message”:“Plugin "applicationConfig" is disabled.”}
{“type”:“log”,“@timestamp”:“2025-03-10T05:42:31Z”,“tags”:[“info”,“plugins-service”],“pid”:1,“message”:“Plugin "cspHandler" is disabled.”}
{“type”:“log”,“@timestamp”:“2025-03-10T05:42:31Z”,“tags”:[“info”,“plugins-service”],“pid”:1,“message”:“Plugin "dataSource" is disabled.”}
{“type”:“log”,“@timestamp”:“2025-03-10T05:42:31Z”,“tags”:[“info”,“plugins-service”],“pid”:1,“message”:“Plugin "visTypeXy" is disabled.”}
{“type”:“log”,“@timestamp”:“2025-03-10T05:42:31Z”,“tags”:[“info”,“plugins-service”],“pid”:1,“message”:“Plugin "workspace" is disabled.”}
{“type”:“log”,“@timestamp”:“2025-03-10T05:42:31Z”,“tags”:[“warning”,“config”,“deprecation”],“pid”:1,“message”:“"opensearch.requestHeadersWhitelist" is deprecated and has been replaced by "opensearch.requestHeadersAllowlist"”}
{“type”:“log”,“@timestamp”:“2025-03-10T05:42:31Z”,“tags”:[“fatal”,“root”],“pid”:1,“message”:“Error: error:05800074:x509 certificate routines::key values mismatch\n at setKey (node:internal/tls/secure-context:93:11)\n at configSecureContext (node:internal/tls/secure-context:175:7)\n at Object.createSecureContext (node:_tls_common:117:3)\n at Server.setSecureContext (node:_tls_wrap:1471:27)\n at Server (node:_tls_wrap:1335:8)\n at new Server (node:https:76:3)\n at Object.createServer (node:https:120:10)\n at module.exports.internals.Core._createListener (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/core.js:543:79)\n at new module.exports.internals.Core (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/core.js:135:30)\n at new module.exports (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/server.js:23:18)\n at createServer (/usr/share/opensearch-dashboards/src/core/server/http/http_tools.js:118:18)\n at HttpServer.setup (/usr/share/opensearch-dashboards/src/core/server/http/http_server.js:86:48)\n at HttpService.runNotReadyServer (/usr/share/opensearch-dashboards/src/core/server/http/http_service.js:156:26)\n at HttpService.setup (/usr/share/opensearch-dashboards/src/core/server/http/http_service.js:82:18)\n at Server.setup (/usr/share/opensearch-dashboards/src/core/server/server.js:175:23)\n at Root.setup (/usr/share/opensearch-dashboards/src/core/server/root/index.js:60:14)\n at bootstrap (/usr/share/opensearch-dashboards/src/core/server/bootstrap.js:113:5)\n at Command. (/usr/share/opensearch-dashboards/src/cli/serve/serve.js:192:5) {\n library: ‘x509 certificate routines’,\n reason: ‘key values mismatch’,\n code: ‘ERR_OSSL_X509_KEY_VALUES_MISMATCH’\n}”}
FATAL Error: error:05800074:x509 certificate routines::key values mismatch