Dashboards connection error: self signed certificate

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch 2.6.2
Dashboards 2.5.3
ubuntu in k8s cluster

Describe the issue:
Hello.
I prepared certificates by your example, but Dashboards cannot connect to Opensearch if opensearch.ssl.verificationMode: certificate or full
Error in Dashboards pod:
{"type":"log","@timestamp":"2023-01-23T08:17:24Z","tags":["error","opensearch","data"],"pid":1,"message":"[ConnectionError]: self signed certificate"}

There is a similar unanswered problem: link

No errors in Opensearch pod.

Configuration:
opensearch.yml

    network.host: 0.0.0.0
    cluster.name: project-logging-opensearch
    node.processors: 2
    
    plugins:
      security:
        ssl:
          transport:
            pemcert_filepath: certificates/node.pem
            pemkey_filepath: certificates/node-key.pem
            pemtrustedcas_filepath: certificates/root-ca.pem
            enforce_hostname_verification: false
          http:
            enabled: true
            pemcert_filepath: certificates/node.pem
            pemkey_filepath: certificates/node-key.pem
            pemtrustedcas_filepath: certificates/root-ca.pem
            clientauth_mode: OPTIONAL
        
        # todo remove 
        allow_unsafe_democertificates: true
        allow_default_init_securityindex: false
        
        authcz:
          admin_dn:
            - 'CN=admin,O=project'
        nodes_dn:
          - 'CN=node,O=project'
    
        audit.type: internal_opensearch
        enable_snapshot_restore_privilege: true
        check_snapshot_restore_write_privileges: true
        restapi:
          roles_enabled: [\"all_access\", \"security_rest_api_access\"]
        system_indices:
          enabled: true
          indices:
            [
              \".opendistro-alerting-config\",
              \".opendistro-alerting-alert*\",
              \".opendistro-anomaly-results*\",
              \".opendistro-anomaly-detector*\",
              \".opendistro-anomaly-checkpoints\",
              \".opendistro-anomaly-detection-state\",
              \".opendistro-reports-*\",
              \".opendistro-notifications-*\",
              \".opendistro-notebooks\",
              \".opendistro-asynchronous-search-response*\",
            ]

opensearch_dashboards.yml

    logging.verbose: true
    
    opensearch_security.auth.type: \"proxy\"
    opensearch_security.proxycache.user_header: \"x-proxy-user\"
    opensearch_security.proxycache.roles_header: \"x-proxy-roles\"
    opensearch.requestHeadersWhitelist: [ \"Authorization\", \"securitytenant\", \"x-forwarded-for\", \"x-forwarded-by\", \"x-proxy-user\", \"x-proxy-roles\" ]
    
    opensearch_security.allow_client_certificates: true
    #opensearch.ssl.alwaysPresentCertificate: true
    
    opensearch.ssl.verificationMode: full
    opensearch.ssl.certificateAuthorities: [\"/usr/share/opensearch-dashboards/config/certificates/root-ca.pem\"]
    
    opensearch.ssl.certificate: \"/usr/share/opensearch-dashboards/config/certificates/dashboards.pem\"
    opensearch.ssl.key: \"/usr/share/opensearch-dashboards/config/certificates/dashboards-key.pem\"
    
    opensearch.username: system.kibanaserver
    opensearch.password: \"${KIBANA_PASSWORD}\"
    
    opensearch_security.multitenancy.enabled: true
    opensearch_security.multitenancy.tenants.preferred: [Private, Global]
    opensearch_security.readonly_mode.roles: [kibana_read_only]
    
    # Use this setting if you are running opensearch-dashboards without https
    opensearch_security.cookie.secure: false
    server.host: '0.0.0.0'
    server.basePath: \"/opensearch\"
    server.rewriteBasePath: true

config.yml:

    _meta:
      type: "config"
      config_version: 2
    config:
      dynamic:
        filtered_alias_mode: "warn"
        disable_rest_auth: false
        disable_intertransport_auth: false
        respect_request_indices_options: false
        license: null
        auth_failure_listeners: {}
        do_not_fail_on_forbidden: true
        multi_rolespan_enabled: false
        hosts_resolver_mode: "ip-only"
        transport_userrname_attribute: null
        do_not_fail_on_forbidden_empty: true
        kibana:
          multitenancy_enabled: false
          server_username: "system.kibanaserver"
          #index: ".kibana"
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: true
            internalProxies: ".*"
            remoteIpHeader: "x-forwarded-for"
        authc:
          proxy_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 1
            http_authenticator:
              challenge: false
              type: "proxy"
              config:
                user_header: "x-proxy-user"
                roles_header: "x-proxy-roles"
            authentication_backend:
              type: "noop"
              config: {}
          clientcert_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 0
            http_authenticator:
              challenge: false
              type: "clientcert"
              config:
                username_attribute: "cn"
            authentication_backend:
              type: "noop"
              config: {}
          basic_internal_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 2
            http_authenticator:
              challenge: true
              type: "basic"
              config: {}
            authentication_backend:
              type: "intern"
              config: {}
        authz:
          roles_from_another_ldap:
            http_enabled: false
            transport_enabled: false
            authorization_backend:
              type: "ldap"
              config: {}
          roles_from_myldap:
            http_enabled: false
            transport_enabled: false
            authorization_backend:
              type: "ldap"
              config:
                enable_ssl: false
                enable_start_tls: false
                enable_ssl_client_auth: false
                verify_hostnames: true
                hosts:
                - "localhost:8389"
                bind_dn: null
                password: null
                rolebase: "ou=groups,dc=example,dc=com"
                rolesearch: "(member={0})"
                userroleattribute: null
                userrolename: "disabled"
                rolename: "cn"
                resolve_nested_roles: true
                userbase: "ou=people,dc=example,dc=com"
                usersearch: "(uid={0})"

certificates:

    # Root CA
    openssl genrsa -out root-ca-key.pem 2048
    openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/O=project/CN=project" -out root-ca.pem -days 3650

    # Admin cert
    openssl genrsa -out admin-key-temp.pem 2048
    openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
    openssl req -new -key admin-key.pem -subj "/O=project/CN=admin" -out admin.csr
    openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 3650


    # Dashboards cert
    openssl genrsa -out dashboards-key-temp.pem 2048
    openssl pkcs8 -inform PEM -outform PEM -in dashboards-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out dashboards-key.pem
    openssl req -new -key dashboards-key.pem -subj "/O=project/CN=system.kibanaserver" -out dashboards.csr
    openssl x509 -req -in dashboards.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out dashboards.pem -days 3650

Relevant Logs or Screenshots:

│ dashboards {"type":"log","@timestamp":"2023-01-23T08:34:47Z","tags":["error","opensearch","data"],"pid":1,"message":"[ConnectionError]: self signed certificate"}                         │

This is just a reminder that my question is still relevant

Did you solve your problem? I encountered the same issue, does anyone know how to solve this?

Its works for me
check sertificates.
First:
openssl genrsa -out root-ca-key.pem 2048
openssl req -new -x509 -sha256 -key root-ca-key.pem -subj “/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=root.dns.a-record” -out root-ca.pem -days 730
openssl genrsa -out admin-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
openssl req -new -key admin-key.pem -subj “/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=A” -out admin.csr
openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730
openssl genrsa -out node1-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1-key.pem
openssl req -new -key node1-key.pem -subj “/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=node1.dns.a-record” -out node1.csr
echo ‘subjectAltName=DNS:node1.dns.a-record’ > node1.ext
openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730 -extfile node1.ext

Then:
1. set the same sertificates for opensearch and opensearch-dashbords (opensearch.yml opensearch-dashboard.yml)
2. create ldap.cer 
echo -n | openssl s_client -connect ldap-host:ldap-port | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /opt/opensearch/config/ldap.cer
3. execute ./securityadmin.sh
./securityadmin.sh -cd ../../../config/opensearch-security/ -icl -nhnv -cacert ../../../config/root-ca.pem -cert ../../../config/node1.pem -key ../../../config/node1-key.pem -h  opensearch-host
systemctl restart opensearch opensearch-dashbords

enjoy