Hi there,
I have struggles with the topic client certificate needed for securityadmin.sh.
I get this error:
ERR: Seems you use a node certificate which is also an admin certificate
That may have worked with older Open Distro Security versions but it indicates
a configuration error and is therefore forbidden now.
Ok, so can someone of the community send me a link / attach a documentation of how to generate a CLIENT certificate that fits the above script (running open distro 0.9). I am working at a company that uses ldap and I struggle making it work.
Thank you so much!
Hi @steman Did you find the solution? I’m also getting the same error
Its almost an year after the question asked, but I hope it still helps someone.
There should be at least two different certificates (and corresponding keys) that you should generate - admin and node.
Do not provide the same distinguished name for the admin and node certificates. Also make sure you enter those two different DNs into your elasticsearch.yml (under the keys opendistro_security.authcz.admin_dn and opendistro_security.nodes_dn )
Use the admin certificate when you run securityadmin.sh.
1 Like
You saved my life.
I am using wild card to specify multiple nodes.
opendistro_security.nodes_dn:
- CN=*.noj,OU=Ops,O=noj, Inc.,DC=noj
I was getting this error.
ERR: Seems you use a node certificate which is also an admin certificate
That may have worked with older Open Distro Security versions but it indicates
a configuration error and is therefore forbidden now.
So I changed CN for my admin certificate to make differ from node certificate and it worked.
opendistro_security.authcz.admin_dn:
- CN=admin.noj.sa,OU=Ops,O=noj, Inc.,DC=noj
Indeed it seems that the nodes_dn property is read before the admin_dn one. Making nodes_dn’s CN more specific (and not make it include the admin cert CN) works.