Configuring TLS Certificates on Open Distro for Elasticsearch

I am fairly new to Elasticsearch. I am trying to setup TLS certificates for my Elasticsearch cluster. I generated the certificates using the Search Guard’s offline TLS certificate generator tool. After I created my certificates and run Open Distros securityadmin.sh plugin like this:

`
sudo /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cacert 
/etc/elasticsearch/config/root-ca.pem -cert /etc/elastic
search/config/admin.pem -key /etc/elasticsearch/config/admin.key -cd 
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/
`

I get this error:
WARNING: JAVA_HOME not set, will use /usr/bin/java Open Distro Security Admin v7 Will connect to localhost:9300 ... done ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information Trace: NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{1x_AbgJJRJ-MxvZjI11W6A}{localhost}{127.0.0.1:9300}]] at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:352) at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:248) at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:57) at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:394) at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:396) at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:385) at com.amazon.opendistroforelasticsearch.security.tools.OpenDistroSecurityAdmin.execute(OpenDistroSecurityAdmin.java:520) at com.amazon.opendistroforelasticsearch.security.tools.OpenDistroSecurityAdmin.main(OpenDistroSecurityAdmin.java:153)

Here are my Elasticsearch logs:

`
[2020-03-25T15:18:13,096][INFO ][c.a.o.s.a.i.AuditLogImpl ] [node-1] Configured Users to ignore for read compliance events: [kibanaserver]
[2020-03-25T15:18:13,098][INFO ][c.a.o.s.a.i.AuditLogImpl ] [node-1] Configured Users to ignore for write compliance events: [kibanaserver]
[2020-03-25T15:18:13,504][INFO ][c.a.o.s.a.i.AuditLogImpl ] [node-1] Message routing enabled: true
 [2020-03-25T15:18:13,509][WARN ][c.a.o.s.c.ComplianceConfig] [node-1] If you plan to use field masking pls configure opendistro_security.compliance.salt to be a random string of 16 chars length identical on all nodes
 [2020-03-25T15:18:13,510][INFO ][c.a.o.s.c.ComplianceConfig] [node-1] PII configuration 
[auditLogPattern=org.joda.time.format.DateTimeFormatter@50734cea,  auditLogIndex=null]: {}
[2020-03-25T15:18:14,346][DEBUG][o.e.a.ActionModule       ] [node-1] Using REST wrapper from plugin com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin
[2020-03-25T15:18:14,790][INFO ][o.e.d.DiscoveryModule    ] [node-1] using discovery type 
[zen] and seed hosts providers [settings]
[2020-03-25T15:18:15,796][INFO ][c.a.o.e.p.h.c.PerformanceAnalyzerConfigAction] [node-1] PerformanceAnalyzer Enabled: true
[2020-03-25T15:18:15,881][INFO ][o.e.n.Node               ] [node-1] initialized
[2020-03-25T15:18:15,884][INFO ][o.e.n.Node               ] [node-1] starting ...
[2020-03-25T15:18:16,375][INFO ][o.e.t.TransportService   ] [node-1] publish_address 
{127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}
[2020-03-25T15:18:16,440][INFO ][o.e.c.c.Coordinator      ] [node-1] cluster UUID [ 
[uRLPKEtQQvCLSmfCDYRHhw]
[2020-03-25T15:18:16,707][INFO ][o.e.c.s.MasterService    ] [node-1] elected-as-master ([1] nodes joined)[{node-1}{_f8hRPD3RY6JgK_NT6BlHA}{npC6xhVYRiO3LpBghG7cfg}{127.0.0.1}{127.0.0.1:9300}{dim} elect leader, _BECOME_MASTER_TASK_, _FINISH_ELECTION_], term: 50, version: 610, reason: master node changed {previous [], current [{node-1}{_f8hRPD3RY6JgK_NT6BlHA}{npC6xhVYRiO3LpBghG7cfg}{127.0.0.1}{127.0.0.1:9300}{dim}]}
[2020-03-25T15:18:16,832][INFO ][o.e.c.s.ClusterApplierService] [node-1] master node changed {previous [], current [{node-1}{_f8hRPD3RY6JgK_NT6BlHA}{npC6xhVYRiO3LpBghG7cfg}{127.0.0.1}{127.0.0.1:9300}{dim}]}, term: 50, version: 610, reason: Publication{term=50, version=610}
[2020-03-25T15:18:16,940][INFO ][o.e.h.AbstractHttpServerTransport] [node-1] publish_address {10.128.0.56:9200}, bound_addresses {[::]:9200}
[2020-03-25T15:18:16,940][INFO ][o.e.n.Node               ] [node-1] started
[2020-03-25T15:18:16,957][INFO ][c.a.o.s.OpenDistroSecurityPlugin] [node-1] Node started
[2020-03-25T15:18:16,957][INFO ][c.a.o.s.c.ConfigurationRepository] [node-1] Check if .opendistro_security index exists ...
[2020-03-25T15:18:16,957][INFO ][c.a.o.s.c.ConfigurationRepository] [node-1] .opendistro_security index does not exist yet, so we create a default config
[2020-03-25T15:18:16,968][INFO ][c.a.o.s.OpenDistroSecurityPlugin] [node-1] 4 Open Distro Security modules loaded so far: [Module [type=DLSFLS, implementing class=com.amazon.opendistroforelasticsearch.security.configuration.OpenDistroSecurityFlsDlsIndexSearcherWrapper], Module [type=REST_MANAGEMENT_API, implementing class=com.amazon.opendistroforelasticsearch.security.dlic.rest.api.OpenDistroSecurityRestApiActions], Module [type=MULTITENANCY, implementing class=com.amazon.opendistroforelasticsearch.security.configuration.PrivilegesInterceptorImpl], Module [type=AUDITLOG, implementing class=com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditLogImpl]]
[2020-03-25T15:18:16,968][INFO ][c.a.o.s.c.ConfigurationRepository] [node-1] Background init thread started. Install default config?: true
[2020-03-25T15:18:16,973][INFO ][c.a.o.s.c.ConfigurationRepository] [node-1] Will create .opendistro_security index so we can apply default config
[2020-03-25T15:18:17,186][INFO ][o.e.g.GatewayService     ] [node-1] recovered [10] indices into cluster_state
[2020-03-25T15:18:19,389][INFO ][o.e.c.r.a.AllocationService] [node-1] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.opendistro_security][0]]]).
[2020-03-25T15:18:19,645][ERROR][c.a.o.s.a.BackendRegistry] [node-1] Not yet initialized (you may need to run securityadmin)
[2020-03-25T15:18:19,706][ERROR][c.a.o.s.a.BackendRegistry] [node-1] Not yet initialized (you may need to run securityadmin)
[2020-03-25T15:18:19,884][INFO ][c.a.o.s.c.ConfigurationRepository] [node-1] Node 'node-1' initialized
[2020-03-25T15:19:03,114][INFO ][stats_log                ] [node-1] ------------------------------------------------------------------------
Program=PerformanceAnalyzerPlugin
StartTime=1585149483.028
EndTime=Wed, 25 Mar 2020 15:19:03 UTC
Time=60039 msecs
Timing=total-time:60039.0/1
Counters=MasterMetricsError=1,TotalError=1
EOE
`

Here is my elasticsearch.yml file:

`
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 0.0.0.0
#
#
# Set a custom port for HTTP:
#
#http.host: 0.0.0.0
http.port: 9200
#
transport.host: 127.0.0.1
transport.port: 9300
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.seed_hosts:
  - 127.0.0.1:3000
  - xx.xxx.xxx.xx:3000
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
cluster.initial_master_nodes:
  - node-1
#
# For more information, consult the discovery and cluster formation module documentation.
#
#discovery.type: single-node

 # ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
#
# 
#

######## Start OpenDistro for Elasticsearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production 
opendistro_security.ssl.transport.pemcert_filepath: config/node-1.pem
opendistro_security.ssl.transport.pemkey_filepath: config/node-1.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: config/root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: config/node-1.pem
opendistro_security.ssl.http.pemkey_filepath: config/node-1.key
opendistro_security.ssl.http.pemtrustedcas_filepath: config/root-ca.pem
opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
    - CN=admin,O=Weblink Technology,OU=SSL,L=Iowa City,ST=Iowa,C=US
opendistro_security.nodes_dn:
    - CN=node-1,O=Weblink Technology,OU=SSL,L=Iowa City,ST=Iowa,C=US
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 1
######## End OpenDistro for Elasticsearch Security Demo Configuration ########
`

@mitchellpottratz Did you manage to get this resolved?
If not, are you able to verify the DN on the node certs? Does it match “node-1,O=Weblink Technology,OU=SSL,L=Iowa City,ST=Iowa,C=US”

Are you using a single node cluster or using same cert for multiple cluster?
Can you provide a bit more detail about your set up?