Facing "Transport client authentication no longer supported" Error while Setting Up OpenSearch Cluster with Docker

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

What I’ve Tried:

  1. Verified the keystore and truststore files are correctly generated and placed in the /usr/share/opensearch/config/certs/ directory of the container.
  2. Confirmed the Subject Alternative Names (SANs) for all node hostnames are correctly included in the certificates.
  3. Ensured that transport client authentication settings were removed from the opensearch.yml file.
  4. Tried restarting the containers to apply the new configurations.

Questions:

  • Is there any additional configuration needed to ensure that SSL/TLS is correctly applied for node-to-node communication without relying on the transport client authentication?
  • Does anyone have experience configuring SSL/TLS in OpenSearch clusters with Docker? Any help or suggestions would be appreciated!

Thanks in advance for your support!

Describe the issue:

Hi all,

I’m in the process of setting up an OpenSearch cluster using Docker containers. I’m using the same keystore.jks and truststore.jks files for all the nodes in the cluster to handle SSL/TLS encryption for secure communication. However, after configuring SSL/TLS and restarting the nodes, I’m running into the following error:

[2024-11-06T10:17:36,262][ERROR][o.o.s.t.SecurityRequestHandler] [opensearch-master1] OpenSearchException[Transport client authentication no longer supported.]
[2024-11-06T10:17:36,099][WARN ][o.o.d.HandshakingTransportAddressConnector] [opensearch-master1] handshake failed for [connectToRemoteMasterNode[172.19.0.5:9300]]

Configuration:

Context of the Setup:

  • I’m deploying the cluster with multiple nodes (master, data, and client).
  • I’m using keystore-modified.jks for the keystore and truststore-complete.jks for the truststore, which I’ve shared across all the nodes.
  • I have configured plugins.security.ssl.transport settings in opensearch.yml for SSL/TLS communication between the node

Key SSL/TLS Configuration in opensearch.yml:

plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.keystore_type: JKS
plugins.security.ssl.transport.keystore_filepath: certs/keystore-modified.jks
plugins.security.ssl.transport.keystore_password: your-keystore-password
plugins.security.ssl.transport.truststore_type: JKS
plugins.security.ssl.transport.truststore_filepath: certs/truststore-complete.jks
plugins.security.ssl.transport.truststore_password: your-truststore-password

Relevant Logs or Screenshots:

Hi @Govind12, try changing the port to 9200.

Could you share your a full opensearch.yml?

Best,
mj

I have’nt defined ports, its using default port for it

Here is the opensearch.yml :

plugins.security.ssl.transport.enabled: true

plugins.security.ssl.transport.keystore_type: “JKS”
plugins.security.ssl.transport.keystore_filepath: “certs/keystore-modified.jks”
Plugins.security.ssl.transport.keystore_alias: “first-alias” # Replace with the actual alias if applicable
plugins.security.ssl.transport.keystore_password: “changeit”

plugins.security.ssl.transport.truststore_type: “JKS”
plugins.security.ssl.transport.truststore_filepath: “certs/truststore-complete.jks”
Plugins.security.ssl.transport.truststore_alias: “” # Replace with the actual alias if applicable
plugins.security.ssl.transport.truststore_password: “changeit”

Here is opensearch-docker-compose file:

version: '3'
services:
  opensearch-master1:
    image: opensearchproject/opensearch:2.17.1
    container_name: opensearch-master1
    environment:
      - cluster.name=opensearch-cluster
      - node.name=opensearch-master1
      - discovery.seed_hosts=opensearch-master1,opensearch-master2,opensearch-master3
      - cluster.initial_cluster_manager_nodes=opensearch-master1,opensearch-master2,opensearch-master3
      -  network.host= 0.0.0.0

      - bootstrap.memory_lock=true
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
      - "DISABLE_INSTALL_DEMO_CONFIG=true"
      - "DISABLE_SECURITY_PLUGIN=false"  # Disable security plugin
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}

    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - ./opensearch-data/opensearch_opensearch-master-data1:/usr/share/opensearch/data:rw
      - ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
 
      - ./certs:/usr/share/opensearch/config/certs

      
    ports:
      - 9201:9200
      - 9601:9600
    networks:
      - opensearch-net

  opensearch-master2:
    image: opensearchproject/opensearch:2.17.1
    container_name: opensearch-master2
    environment:
      - cluster.name=opensearch-cluster
      - node.name=opensearch-master2
      - discovery.seed_hosts=opensearch-master1,opensearch-master2,opensearch-master3
      - cluster.initial_cluster_manager_nodes=opensearch-master1,opensearch-master2,opensearch-master3
      -  network.host= 0.0.0.0

      - bootstrap.memory_lock=true
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
      - "DISABLE_INSTALL_DEMO_CONFIG=true"
      - "DISABLE_SECURITY_PLUGIN=false"  # Disable security plugin
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
     


    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - ./opensearch-data/opensearch_opensearch-master-data2:/usr/share/opensearch/data:rw
      - ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml

      - ./certs:/usr/share/opensearch/config/certs

    ports:
      - 9202:9200
      - 9602:9600
    networks:
      - opensearch-net

  opensearch-master3:
    image: opensearchproject/opensearch:2.17.1
    container_name: opensearch-master3
    environment:
      - cluster.name=opensearch-cluster
      - node.name=opensearch-master3
      - discovery.seed_hosts=opensearch-master1,opensearch-master2,opensearch-master3
      - cluster.initial_cluster_manager_nodes=opensearch-master1,opensearch-master2,opensearch-master3
      -  network.host= 0.0.0.0

      - bootstrap.memory_lock=true
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
      - "DISABLE_INSTALL_DEMO_CONFIG=true"
      - "DISABLE_SECURITY_PLUGIN=false"  # Disable security plugin
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
    

    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - ./opensearch-data/opensearch_opensearch-master-data3:/usr/share/opensearch/data:rw
      - ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
 
      - ./certs:/usr/share/opensearch/config/certs
     
    ports:
      - 9203:9200
      - 9603:9600
    networks:
      - opensearch-net
  # Data Nodes
  opensearch-data1:
    image: opensearchproject/opensearch:2.17.1
    container_name: opensearch-data1
    environment:
      - cluster.name=opensearch-cluster
      - node.name=opensearch-data1
      - node.roles=data
      - discovery.seed_hosts=opensearch-master1,opensearch-master2,opensearch-master3
      -  network.host= 0.0.0.0

      - bootstrap.memory_lock=true
      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
      - "DISABLE_INSTALL_DEMO_CONFIG=true"
      - "DISABLE_SECURITY_PLUGIN=false"
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
   

    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - ./opensearch-data/opensearch_opensearch-data1:/usr/share/opensearch/data:rw
      - ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml

      - ./certs:/usr/share/opensearch/config/certs

      
    ports:
      - 9204:9200
      - 9604:9600
    networks:
      - opensearch-net

  opensearch-data2:
    image: opensearchproject/opensearch:2.17.1
    container_name: opensearch-data2
    environment:
      - cluster.name=opensearch-cluster
      - node.name=opensearch-data2
      - node.roles=data
      - discovery.seed_hosts=opensearch-master1,opensearch-master2,opensearch-master3
      -  network.host= 0.0.0.0

      - bootstrap.memory_lock=true
      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
      - "DISABLE_INSTALL_DEMO_CONFIG=true"
      - "DISABLE_SECURITY_PLUGIN=false"
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
     

    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - ./opensearch-data/opensearch_opensearch-data2:/usr/share/opensearch/data:rw
      - ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml

      - ./certs:/usr/share/opensearch/config/certs

      
    ports:
      - 9205:9200
      - 9605:9600
    networks:
      - opensearch-net

  opensearch-data3:
    image: opensearchproject/opensearch:2.17.1
    container_name: opensearch-data3
    environment:
      - cluster.name=opensearch-cluster
      - node.name=opensearch-data3
      - node.roles=data
      - discovery.seed_hosts=opensearch-master1,opensearch-master2,opensearch-master3
      -  network.host= 0.0.0.0

      - bootstrap.memory_lock=true
      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
      - "DISABLE_INSTALL_DEMO_CONFIG=true"
      - "DISABLE_SECURITY_PLUGIN=false"
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
     

    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - ./opensearch-data/opensearch_opensearch-data3:/usr/share/opensearch/data:rw
      - ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
  
      - ./certs:/usr/share/opensearch/config/certs

      
    ports:
      - 9206:9200
      - 9606:9600
    networks:
      - opensearch-net



  opensearch-client1:
    image: opensearchproject/opensearch:2.17.1
    container_name: opensearch-client1
    environment:
      - cluster.name=opensearch-cluster
      - node.name=opensearch-client1
      - node.roles=ingest,remote_cluster_client
      - discovery.seed_hosts=opensearch-master1,opensearch-master2,opensearch-master3
      - cluster.initial_cluster_manager_nodes=opensearch-master1,opensearch-master2,opensearch-master3
      -  network.host= 0.0.0.0

      - bootstrap.memory_lock=true
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
      - "DISABLE_INSTALL_DEMO_CONFIG=true"
      - "DISABLE_SECURITY_PLUGIN=false"  # Disable security plugin
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}


    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml


      - ./certs:/usr/share/opensearch/config/certs

  
    ports:
      - 9207:9200
      - 9607:9600
    networks:
      - opensearch-net

  opensearch-client2:
    image: opensearchproject/opensearch:2.17.1
    container_name: opensearch-client2
    environment:
      - cluster.name=opensearch-cluster 
      - node.name=opensearch-client2
      - node.roles=ingest,remote_cluster_client
      - discovery.seed_hosts=opensearch-master1,opensearch-master2,opensearch-master3
      - cluster.initial_cluster_manager_nodes=opensearch-master1,opensearch-master2,opensearch-master3
      -  network.host= 0.0.0.0

      - bootstrap.memory_lock=true
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
      - "DISABLE_INSTALL_DEMO_CONFIG=true"
      - "DISABLE_SECURITY_PLUGIN=false"  # Disable security plugin
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
     

    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
     # - opensearch-client-data2:/usr/share/opensearch/data
      - ./config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
 
      - ./certs:/usr/share/opensearch/config/certs

      
    ports:
      - 9208:9200
      - 9608:9600
    networks:
      - opensearch-net

  opensearch-dashboards:
    image: opensearchproject/opensearch-dashboards:2.17.1
    container_name: opensearch-dashboards
    environment:
      - 'OPENSEARCH_HOSTS=["http://opensearch-master1:9200","http://opensearch-master2:9200","http://opensearch-master3:9200"]'
      - "DISABLE_SECURITY_DASHBOARDS_PLUGIN=false"  # Disable security plugin
       
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
      
    ports:
      - 5601:5601
    networks:
      - opensearch-net
    volumes:

      - ./opensearch-dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch-dashboards.yml



volumes:
  opensearch_opensearch-master-data1:
  opensearch_opensearch-master-data2:
  opensearch_opensearch-master-data3:
  opensearch_opensearch-data1:
  opensearch_opensearch-data2:
  opensearch_opensearch-data3:

networks:
  opensearch-net:

Hi @Govind12,

Could you please confirm values in your opensearch.yml for plugins.security.nodes_dn:, and the DNs for your node certs?

best,
mj

1 Like