Dashboard not showing login page with openid and keycloak on AWS

Sorry, I have a new issue while deploying Opensearch, Dashboards to AWS. I have configured OpenSearch (Dashboard) 2.1.0 on several nodes on AWS (Docker container) and I have a Keycloak available on https://access.$DOMAIN (Somewhere in other nodes and region). Configured a realm and a openid client.

When I access https://monitoring.$DOMAIN I am redirected to https://monitoring.$DOMAIN/auth/openid/login? and immediately returns a {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}, I did not get any login form, from either Keycloak or Dashboard itself.

This is my nginx config:

  location / {
    set_real_ip_from x.x.x.x/24;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_intercept_errors on;
      proxy_pass http://dashboard/;
      proxy_ssl_verify off;
      proxy_buffer_size          128k;
      proxy_buffers              4 256k;
      proxy_busy_buffers_size    256k;

The opensearch_dashboards.yml:

server.name: ip-x-x-x-x
server.port: 5601
server.host: ""
opensearch.hosts: ["https://ip-x-x-x.x:9200","https://ip-x-x-x.x:9200","https://ip-x-x-x.x:9200"]
opensearch.ssl.certificateAuthorities: ["/usr/share/opensearch-dashboards/config/root-ca.pem"]
opensearch.ssl.verificationMode: full
opensearch.username: "kibanaserver"
opensearch.password: "myawesomepassword"
opensearch.requestHeadersWhitelist: ["securitytenant", "Authorization"]

opensearch_security.auth.type: openid
opensearch_security.openid.base_redirect_url: https://monitoring.$DOMAIN
opensearch_security.openid.client_id: myclientid
opensearch_security.openid.client_secret: MyVerySecreTMesSage
opensearch_security.openid.connect_url: https://access.$DOMAIN/auth/realms/monitoring/.well-known/openid-configuration
opensearch_security.openid.header: Authorization
opensearch_security.openid.root_ca: /usr/share/opensearch-dashboards/config/root-ca-amz.pem
opensearch_security.openid.verify_hostnames: false

opensearch_security.multitenancy.enabled: false
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
# Use this setting if you are running dashboards without https
opensearch_security.cookie.secure: false

Dashboard can access the Opensearch cluster:

$ curl -ks -u "kibanaserver:myawesomepassword" "https://ip-x.x.x.x:9200"
  "name" : "ip-x.x.x.x",
  "cluster_name" : "mycluster",
  "cluster_uuid" : "Lob5PZZEQqW1O5r4idkC5A",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.1.0",
    "build_type" : "tar",
    "build_hash" : "388c80ad94529b1d9aad0a735c4740dce2932a32",
    "build_date" : "2022-06-30T21:31:04.823801692Z",
    "build_snapshot" : false,
    "lucene_version" : "9.2.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  "tagline" : "The OpenSearch Project: https://opensearch.org/"

I probably do something wrong.

The config from the OpenSearch cluster:

  type: "config"
  config_version: 2
        http_enabled: true
        transport_enabled: true
        order: 0
          type: basic
          challenge: false
          type: internal

        http_enabled: true
        transport_enabled: true
        order: 1
          type: "openid"
          challenge: false
              enable_ssl: true
              verify_hostnames: false
              pemtrustedcas_filepath: /usr/share/opensearch/config/root-ca-amz.pem
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://access.$DOMAIN/auth/realms/monitoring/.well-known/openid-configuration
          type: noop

The root-ca-amz.pem is the CA root certificate of Amazon, which is used by ACM. So I hope I downloaded the correct one. :slight_smile:

Any one has an idea or a pointer for me?

I see this in the log when starting Dashboard:

{"type":"log","@timestamp":"2022-08-05T11:43:58Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"Error: unable to get issuer certificate\n    at TLSSocket.onConnectSecure (_tls_wrap.js:1515:34)\n    at TLSSocket.emit (events.js:400:28)\n    at TLSSocket._finishInit (_tls_wrap.js:937:8)\n    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:709:12) {\n  code: 'UNABLE_TO_GET_ISSUER_CERT',\n  trace: [\n    {\n      method: 'GET',\n      url: 'https://access.$DOMAIN/auth/realms/monitoring/.well-known/openid-configuration'\n    }\n  ],\n  isBoom: true,\n  isServer: true,\n  data: null,\n  output: {\n    statusCode: 502,\n    payload: {\n      message: 'Client request error: unable to get issuer certificate',\n      statusCode: 502,\n      error: 'Bad Gateway'\n    },\n    headers: {}\n  }\n}"}

But I can curl https://access.$DOMAIN/auth/realms/monitoring/.well-known/openid-configuration anytime and I always get a response. Did I then make an issue with the

opensearch_security.openid.root_ca: /usr/share/opensearch-dashboards/config/root-ca-amz.pem

line? Not sure How I get the CA crt from Amazon.

Yes, it was related to the ca certificate. Is working now better, but when loggedin, I am in a redirect loop between Dashboard and Keycloak.

Sorry, my bad again! I though I had correctly configured a secret, was using a completely different one. Well, have learned a few things. :slight_smile:

Hello! I’m following your questions very closely as I try to step through the config steps from this topic and this one

But I still get 401 errors all the time, could you tell me in more detail what exactly you decided with the token?

My problem was this file. The Keycloak is running on AWS and had a TLS Certificate that AWS generated. My problem was that I used the wrong CA certificate from AWS. After a bit of googling I found the correct one. (To long ago to remember the page.)

Thanks for the quick response. Please tell me after changing the config.yml did you run the securityadmin.sh script inside the container to apply the settings?

Yes, to be sure I always executed the securityadmin script.