Elasticsearch not connecting to each other - Opendistro security not initialized

@shaimoh you can follow the documentation to generate the certs. Openssl can be also used in Windows environment.

Hi @pablo , Im still going in rounds.

Im not able to understand what exactly is the admin_dn part is


  • CN=kirk,OU=client,O=client,L=test, C=de

what exactly is this CN and how is admin certificate different from node certificate
Am I supposed to give the elasticsearch url in the place of “kirk” here ? How to generate and define a CN here ?
Anything I should do in config.yml for the same ? Currently I havent done any changes in config.yml

Pls help…It would be a great help for me

Hi @pablo , Hope you’re doing well

I tried with single node and it seems to be working and elasticsearch is coming up using HTTPS and shows secured however now the issue is with Kibana.

Im using the same certificates and root_ca.pem and it says “Error: [config validation of [server].ssl.cert]: definition for this key is missing”

Below is my Kibana yml file . Can you check and advise if im doing anything wrong ? Im using the node certificates path

elasticsearch.hosts: https://CZASMV-MSELK003:9200
server.host: "CZASMV-MSELK003"
server.port: 5601
elasticsearch.ssl.verificationMode: none
server.ssl.cert:  C:\opendistroforelasticsearch_kibana\config\CZASMV-MSELK003.pem
server.ssl.key:  C:\opendistroforelasticsearch_kibana\config\CZASMV-MSELK003_key_pkcs8.pem
elasticsearch.ssl.certificateAuthorities: C:\OpenDistroForElasticsearchKibana\config\root_ca.pem
elasticsearch.username: admin
elasticsearch.password: admin
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]

# Use this setting if you are running kibana without https
opendistro_security.cookie.secure: false

newsfeed.enabled: false
telemetry.optIn: false
telemetry.enabled: false
security.showInsecureClusterWarning: false
# To configure a WMS map server for use with Kibana, see:
# https://opendistro.github.io/for-elasticsearch-docs/docs/kibana/maptiles/
map.includeElasticMapsService: false

Thanks for your help

This is the error

Hi @shaimoh

According to the provided error, definition for server.ssl.cert key doesn’t exist and that is correct. As per documentation, the valid key name is server.ssl.certificate.

@shaimoh in regards to yoru previous questions.
opendistro_security.authcz.admin_dn lists all users who are allowed to execute admin tasks in the cluster using API requests (i.e. restore .opendistro_security index)

curl -k --cert ./kirk.pem --key ./kirk-key.pem -XPOST 'https://localhost:9200/_snapshot/my-repository/3/_restore?pretty'

To execute above command you’ll need client SSL certificate which will have following in settings.

  • CN=kirk,OU=client,O=client,L=test, C=de

Furhter information in regards to DName’s elements you can find here

The admin certificate is a client certificate. The main difference between client and node (server) certificate is that the client cert is used to authenticate the user/client (API calls to server) and server certificate validates server identity.
Both certificates have different CN and SAN (subject alternative names) to match the server/client name.

You can compare the node and admin demo certs content by using the below commands.

openssl x509 -in <path_to_admin.cert> -text -noout

openssl x509 -in <path_to_server.cert> -text -noout

Hope this helps.

Hi @pablo

Thanks a lot for the clear information. Now I understood the difference.

Can this be added in the opendistro documentation. It would clearly solve lot of questions.

Thanks again for your help. Let me try getting a client certificate for my server