Failed to obtain endpoints from idp

OpenSearch
,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Opensearch version is 2.8.0
keycloak version is latest
authorization profile is openid

Describe the issue:
Error failed when trying to obtain the endpoint from idp.

Configuration:
Openid-dev-certs is the one which we took the certs from the realm settings of keycloak.

Opensearch.yaml

apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
  name: os-dev-cluster
  namespace: opensearch-dev
spec:
  initHelper:
    image: "public.ecr.aws/opsterio/busybox"
  security:
    config:
      adminCredentialsSecret:
        name: a-admin-credentials-secret
      securityConfigSecret:
        name: a-securityconfig-secret
    tls:
      transport:
        generate: true
      http:
        generate: true
  general:
    serviceName: my-cluster1
    version: 2.8.0
    drainDataNodes: true
    setVMMaxMapCount: true
    image: docker.io/opensearchproject/opensearch:2.8.0
    imagePullPolicy: IfNotPresent
    additionalVolumes:
    - name: openid-dev-certs
      path: /usr/share/opensearch/config/certs/
      configMap:
        name: openid-dev-certs
      restartPods: true
      #additionalConfig:
      #plugins.security.allow_default_init_securityindex: "true"
      #plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/opensearch/config/certs/openid-certs
  dashboards:
    additionalConfig:
      logging.verbose: "true"
      opensearch_security.auth.type: '["basicauth","openid"]'
      opensearch_security.auth.multiple_auth_enabled: "True"
      opensearch_security.openid.connect_url: https://keycloak-dev.os-es.xyz.com/auth/realms/master/.well-known/openid-configuration
      opensearch_security.openid.base_redirect_url: https://opensearchdashboard.os-es.xyz.com/
      opensearch_security.openid.client_id: keycloak-dev-grafana
      opensearch_security.openid.client_secret: V6WO9Xv5Hs0xkzI6cs4DEsx9M6tLj4Xh
      opensearch_security.openid.scope: openid profile email
      opensearch_security.openid.header: Authorization
      opensearch_security.openid.trust_dynamic_headers: "true"
      opensearch.optimizedHealthcheckId: "os-es-cluster"
      opensearch_security.openid.verify_hostnames: "false"
      opensearch.ssl.verificationMode: none
      opensearch_security.cookie.secure: "false"
      opensearch.requestHeadersWhitelist:  |
        ["securitytenant","Authorization","security_tenant"]
      opensearch_security.readonly_mode.roles: '[ "kibana_user", "readall" ]'
    image: docker.io/opensearchproject/opensearch-dashboards:2.8.0
    imagePullPolicy: IfNotPresent
    opensearchCredentialsSecret:
      name: a-admin-credentials-secret
    enable: true
    tls:
      enable: true
      generate: true
    version: 2.8.0
    replicas: 1
    resources:
      requests:
         memory: "512Mi"
         cpu: "200m"
      limits:
         memory: "512Mi"
         cpu: "200m"
  nodePools:
    - component: masters
      replicas: 3
      diskSize: "5Gi"
      jvm: "-Dopensearch.allow_insecure_settings=true"
      resources:
         requests:
            memory: "2Gi"
            cpu: "500m"
         limits:
            memory: "3Gi"
            cpu: "1000m"
      roles:
        - "data"
        - "master"
        - "ingest"
      persistence:
        pvc:
          storageClass: nfs-csi
          accessModes: # You can change the accessMode
          - ReadWriteOnce

Security_config:

config.yml: |-
        _meta:
          type: "config"
          config_version: 2
        config:
          dynamic:
            authz: {}
            authc:
              basic_internal_auth_domain:
                http_enabled: true
                transport_enabled: true
                order: 0
                http_authenticator:
                  type: basic
                  challenge: false
                authentication_backend:
                  type: internal
        
              openid_auth_domain:
                http_enabled: true
                transport_enabled: true
                order: 1
                http_authenticator:
                  type: openid
                  challenge: false
                  config:
                    openid_connect_idp:
                      enable_ssl: true
                      verify_hostnames: false
                      pemtrustedcas_filepath: /usr/share/opensearch/config/certs/openid-dev-certs
                    subject_key: preferred_username
                    roles_key: roles
                    openid_connect_url: "https://keycloak-dev.os-es.xyz.com/auth/realms/master/.well-known/openid-configuration"
                authentication_backend:
                  type: noop
      roles_mapping.yml: |-
        _meta:
          type: "rolesmapping"
          config_version: 2

Relevant Logs or Screenshots:

{"type":"log","@timestamp":"2024-04-16T06:08:57Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"Error: getaddrinfo ENOTFOUND keycloak-dev.os-es.xyz.com\n    at GetAddrInfoReqWrap.onlookup [as oncomplete] (node:dns:109:26) {\n  errno: -3007,\n  code: 'ENOTFOUND',\n  syscall: 'getaddrinfo',\n  hostname: 'keycloak-dev.os-es.xyz.com',\n  trace: [\n    {\n      method: 'GET',\n      url: 'https://keycloak-dev.os-es.xyz.com/auth/realms/master/.well-known/openid-configuration'\n    }\n  ],\n  isBoom: true,\n  isServer: true,\n  data: null,\n  output: {\n    statusCode: 502,\n    payload: {\n      message: 'Client request error: getaddrinfo ENOTFOUND keycloak-dev.os-es.xyz.com',\n      statusCode: 502,\n      error: 'Bad Gateway'\n    },\n    headers: {}\n  }\n}"}
{"type":"log","@timestamp":"2024-04-16T06:08:57Z","tags":["debug","root"],"pid":1,"message":"shutting root down"}
{"type":"log","@timestamp":"2024-04-16T06:08:57Z","tags":["fatal","root"],"pid":1,"message":"Error: Failed when trying to obtain the endpoints from your IdP\n    at OpenIdAuthentication.init (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/types/openid/openid_auth.ts:117:13)\n    at processTicksAndRejections (node:internal/process/task_queues:96:5)\n    at MultipleAuthentication.init (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/types/multiple/multi_auth.ts:79:11)\n    at createAuthentication (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/auth_handler_factory.ts:46:3)\n    at getAuthenticationHandler (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/auth_handler_factory.ts:91:37)\n    at SecurityPlugin.setup (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/plugin.ts:117:39)\n    at PluginsSystem.setupPlugins (/usr/share/opensearch-dashboards/src/core/server/plugins/plugins_system.js:71:24)\n    at PluginsService.setup (/usr/share/opensearch-dashboards/src/core/server/plugins/plugins_service.js:79:19)\n    at Server.setup (/usr/share/opensearch-dashboards/src/core/server/server.js:249:26)\n    at Root.setup (/usr/share/opensearch-dashboards/src/core/server/root/index.js:44:14)\n    at bootstrap (/usr/share/opensearch-dashboards/src/core/server/bootstrap.js:103:5)\n    at Command.<anonymous> (/usr/share/opensearch-dashboards/src/cli/serve/serve.js:193:5)"}
{"type":"log","@timestamp":"2024-04-16T06:08:57Z","tags":["debug","server"],"pid":1,"message":"stopping server"}
{"type":"log","@timestamp":"2024-04-16T06:08:57Z","tags":["debug","legacy-service"],"pid":1,"message":"stopping legacy service"}
{"type":"log","@timestamp":"2024-04-16T06:08:57Z","tags":["debug","plugins-service"],"pid":1,"message":"Stopping plugins service"}
{"type":"log","@timestamp":"2024-04-16T06:08:57Z","tags":["info","plugins-system"],"pid":1,"message":"Stopping all plugins."}
{"type":"log","@timestamp":"2024-04-16T06:08:57Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"savedObjectsManagement\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:57Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"discover\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:57Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"observabilityDashboards\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:57Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"visTypeMetric\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:57Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"visTypeTagcloud\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:57Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"visTypeTimeseries\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:57Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"visTypeVislib\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:57Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"charts\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:57Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"notificationsDashboards\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:57Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"queryWorkbenchDashboards\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"visualize\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"ganttChartDashboards\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"inputControlVis\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"customImportMapDashboards\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"regionMap\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"tileMap\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"visBuilder\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"visTypeMarkdown\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"visTypeTable\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"visTypeTimeline\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins","visTypeTimeline"],"pid":1,"message":"Stopping plugin"}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"visTypeVega\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"visualizations\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"dashboard\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"anomalyDetectionDashboards\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"indexManagementDashboards\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"reportsDashboards\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"searchRelevanceDashboards\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"savedObjects\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"advancedSettings\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"indexPatternManagement\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"management\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"apmOss\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"console\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"home\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"securityAnalyticsDashboards\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"data\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"expressions\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"embeddable\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"legacyExport\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"opensearchUiShared\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"share\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins","share"],"pid":1,"message":"Stopping plugin"}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"mapsLegacy\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"opensearchDashboardsLegacy\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"opensearchDashboardsUsageCollection\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"usageCollection\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins","usageCollection"],"pid":1,"message":"Stopping plugin"}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","plugins-system"],"pid":1,"message":"Stopping plugin \"alertingDashboards\"..."}
{"type":"log","@timestamp":"2024-04-16T06:08:58Z","tags":["debug","opensearch-service"],"pid":1,"message":"Stopping opensearch service"}

 FATAL  Error: Failed when trying to obtain the endpoints from your IdP
2

Hi @Tamilkumar,

According to the documentation the pemtrustedcas_filepath - Absolute path to the PEM file containing the root CAs of your IdP.

Could you test with .pem containing the root CAs of your Kaycloak as pemtrustedcas_filepath?

Have you managed to, successfully, use your set-up without TLS?

Best,
mj

3

without TLS its working fine . But for integration its needs to be in TLS.

4

Can you confirm if you can resolve your IDP FQND (keycloak “well-known”) on all of your OpenSearch nodes?

Thanks,
mj

5

Also, can you confirm the above? it seems it is pointing at a folder rather than the Keycloak certificate.

thanks,
mj

6

am able to access by insecure mode .

curl -k “https://keycloak-dev.os-es.xyz.com/auth/realms/master/.well-known/openid-configuration

Keycloak certs are stored in /etc/ssl

7

in this case:

openid_connect_idp:
                     enable_ssl: true
                     verify_hostnames: false
                     pemtrustedcas_filepath:  /etc/ssl/<root-ca-kaycloak>.pem

best,
mj

8

at the keycloak side in the /etc/certs–> its a keycloak.crt and key and not the rootca.crt.

pemetrustedcas_filepath: is the one where we took the certs from the realm settings. which will look like this

{“keys”:[{“kid”:“T6XeQit7hO3gav7DE6Gr_OflcQNB-KiZsytYCL49bBI”,“kty”:“RSA”,“alg”:“RS256”,“use”:“sig”,“n”:“raFvpXXi7-2f4dcG1UNY57v7e-NrbosOS4S1WDjUzH-q-gIDLE1EUgLZf6BA_ErflBCXPg_DPgozTFSut4JSfPtE92uArDm49IdYjMgCS8P_RT-0DPGeUyzawwe2vEOGzy8eXrjYgdjx-FVS66tYkBajUtfQCwIpF02Fntf8IaWFZFvzm_i3HgFFe1iGL6RBpzMt_FOBgXgPKfmgFxZwFoZjRWg36s40GriZu7MuIb6pmtQZFDUoVo1EAxeZThXL0WJLvshYN4JmK5QOorAXo1jhGIsue8tTWUTw91lASAzgAtgdlQ4JsFWrb_w2VNaxl7RDMe2xodchEP7DDqnCXQ”,“e”:“AQAB”,“x5c”:[“MIICmzCCAYMCBgGOvTFd6jANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjQwNDA4MTAxMDEyWhcNMzQwNDA4MTAxMTUyWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtoW+ldeLv7Z/h1wbVQ1jnu/t742tuiw5LhLVYONTMf6r6AgMsTURSAtl/oED8St+UEJc+D8M+CjNMVK63glJ8+0T3a4CsObj0h1iMyAJLw/9FP7QM8Z5TLNrDB7a8Q4bPLx5euNiB2PH4VVLrq1iQFqNS19ALAikXTYWe1/whpYVkW/Ob+LceAUV7WIYvpEGnMy38U4GBeA8p+aAXFnAWhmNFaDfqzjQauJm7sy4hvqma1BkUNShWjUQDF5lOFcvRYku+yFg3gmYrlA6isBejWOEYiy57y1NZRPD3WUBIDOAC2B2VDgmwVatv/DZU1rGXtEMx7bGh1yEQ/sMOqcJdAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAE4ARgztEvmONk3iC7cZGguiOu0ALEf8UGypzOswYUlLqjWvQWtUkSGWu8vupXCyDuHlQ+3uXl88PqYJ8ocp+tBUFnJ1fRaXDVmvarcIGX5RM5hX2bjHvXS+cKBeHiv8KvIu4qN9QIBWjz/6HDxjnqk7DLyeIk3/cvt0Iux3FSBcbb51iPJdmJm/IYdmiAWERndAgL9jpsdAZGBWKHHQkFfbh435LYH+deJwHI3iSDaJshmtRjpD8i2z3j0Z1NCpLCfF7uWYdILLqm42arz0Br5oGoLPydtt4yK/+bd2OAIxqKSRCOWQVKUUtP+/U8OjRZOh64XLntT7W1Cw/ZMeLRM=”],“x5t”:“nTan0hMdblK9P1vZNZLVBiAEhIM”,“x5t#S256”:“Wig17kPR1uzhtTMzfq0wTmF0eIdG-vSSIX6HblmGHS8”},{“kid”:“YEu5rG8QTQW2uTyLIRd0saTrN9KFXpsZU-meAtA1ozI”,“kty”:“RSA”,“alg”:“RSA-OAEP”,“use”:“enc”,“n”:“twq8gt0w4XCWTKjmCdVNMXuYY4tQI0XsnyjoQj43sK8KRAupVV5pkSzHvypLjyuvXL4zrqhCVtBxQ47_EwCcWrBmEwPAEpPYWZGgub7CwP5F2AMN6ZC5HCdXSP9yMzc_fb8lHl-xKSBfnWDoVdM1o-N5yZMnavOHePg7a54hNh-oMshADMCumFoPoe-8fKGATWcB7OkB3dHZcmJ_dhE7BokFYJVgKzxWgiAaYZwwehPTE2pFxN7hXQebLbGXe65uiNKyYICHtswXRz2dkDvrKJI0BD_oR11JVQzyra_7ICBv8gKdygRSwneg-GZHQMQH6pYPsDDv3JyznZOgStnNPw”,“e”:“AQAB”,“x5c”:[“MIICmzCCAYMCBgGOvTFfOTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjQwNDA4MTAxMDEzWhcNMzQwNDA4MTAxMTUzWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3CryC3TDhcJZMqOYJ1U0xe5hji1AjReyfKOhCPjewrwpEC6lVXmmRLMe/KkuPK69cvjOuqEJW0HFDjv8TAJxasGYTA8ASk9hZkaC5vsLA/kXYAw3pkLkcJ1dI/3IzNz99vyUeX7EpIF+dYOhV0zWj43nJkydq84d4+DtrniE2H6gyyEAMwK6YWg+h77x8oYBNZwHs6QHd0dlyYn92ETsGiQVglWArPFaCIBphnDB6E9MTakXE3uFdB5stsZd7rm6I0rJggIe2zBdHPZ2QO+sokjQEP+hHXUlVDPKtr/sgIG/yAp3KBFLCd6D4ZkdAxAfqlg+wMO/cnLOdk6BK2c0/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFNM4mDaMrE5B46xHeMxfnY/gQNucikW3ZaeMITYkkZieDbBBOlgJ+A74j1fgSraMDdLkoMs+6zr3tFztcAuJxyysJ2VLNmpx4QnF1OAO8ibPx6+lYLBJn2jB3TqByj2aPedWz0flT0lSi7PPc5RUzXT+d03ggi/IMYZ8UHU4vAx/3RBw/0qYY5ILfLf1Fk1d7QTCdhj2wBR9j87/748fg1AfgXr/oi45noB1sNm6hd2nyVd77TOzuVUQpu3L22h66V2S4Cl8BnMIobzT297OHZa/BbfLnf2zxcV++LKjD9IYmxTCuQpXTbf7vzTkJuekyPoAeXkD7Z10ZiXnemJPAo=”],“x5t”:“1wU4g4C01FDNjL0XgGD8opNS2UE”,“x5t#S256”:“Z5Wl-NqlCccXEWrtOzcGO4S8bF2u3rY57SW4X-fQy1k”}]},

This is the secert which we created from the self signed of keycloak certs

9

Can you please share the output of:

ls -l /usr/share/opensearch/config/certs/

thanks,
mj

10

HI

Below is the output attached exec inside the pod.

[opensearch@os-dev-cluster-masters-0 certs]$ pwd
/usr/share/opensearch/config/certs

[opensearch@os-dev-cluster-masters-0 certs]$ ls
lrwxrwxrwx 1 root root 23 Apr 15 06:32 openid-dev-certs → …data/openid-dev-certs

[opensearch@os-dev-cluster-masters-0 certs]$ cat openid-dev-certs
{“keys”:[{“kid”:“T6XeQit7hO3gav7DE6Gr_OflcQNB-KiZsytYCL49bBI”,“kty”:“RSA”,“alg”:“RS256”,“use”:“sig”,“n”:“raFvpXXi7-2f4dcG1UNY57v7e-NrbosOS4S1WDjUzH-q-gIDLE1EUgLZf6BA_ErflBCXPg_DPgozTFSut4JSfPtE92uArDm49IdYjMgCS8P_RT-0DPGeUyzawwe2vEOGzy8eXrjYgdjx-FVS66tYkBajUtfQCwIpF02Fntf8IaWFZFvzm_i3HgFFe1iGL6RBpzMt_FOBgXgPKfmgFxZwFoZjRWg36s40GriZu7MuIb6pmtQZFDUoVo1EAxeZThXL0WJLvshYN4JmK5QOorAXo1jhGIsue8tTWUTw91lASAzgAtgdlQ4JsFWrb_w2VNaxl7RDMe2xodchEP7DDqnCXQ”,“e”:“AQAB”,“x5c”:[“MIICmzCCAYMCBgGOvTFd6jANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjQwNDA4MTAxMDEyWhcNMzQwNDA4MTAxMTUyWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtoW+ldeLv7Z/h1wbVQ1jnu/t742tuiw5LhLVYONTMf6r6AgMsTURSAtl/oED8St+UEJc+D8M+CjNMVK63glJ8+0T3a4CsObj0h1iMyAJLw/9FP7QM8Z5TLNrDB7a8Q4bPLx5euNiB2PH4VVLrq1iQFqNS19ALAikXTYWe1/whpYVkW/Ob+LceAUV7WIYvpEGnMy38U4GBeA8p+aAXFnAWhmNFaDfqzjQauJm7sy4hvqma1BkUNShWjUQDF5lOFcvRYku+yFg3gmYrlA6isBejWOEYiy57y1NZRPD3WUBIDOAC2B2VDgmwVatv/DZU1rGXtEMx7bGh1yEQ/sMOqcJdAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAE4ARgztEvmONk3iC7cZGguiOu0ALEf8UGypzOswYUlLqjWvQWtUkSGWu8vupXCyDuHlQ+3uXl88PqYJ8ocp+tBUFnJ1fRaXDVmvarcIGX5RM5hX2bjHvXS+cKBeHiv8KvIu4qN9QIBWjz/6HDxjnqk7DLyeIk3/cvt0Iux3FSBcbb51iPJdmJm/IYdmiAWERndAgL9jpsdAZGBWKHHQkFfbh435LYH+deJwHI3iSDaJshmtRjpD8i2z3j0Z1NCpLCfF7uWYdILLqm42arz0Br5oGoLPydtt4yK/+bd2OAIxqKSRCOWQVKUUtP+/U8OjRZOh64XLntT7W1Cw/ZMeLRM=”],“x5t”:“nTan0hMdblK9P1vZNZLVBiAEhIM”,“x5t#S256”:“Wig17kPR1uzhtTMzfq0wTmF0eIdG-vSSIX6HblmGHS8”},{“kid”:“YEu5rG8QTQW2uTyLIRd0saTrN9KFXpsZU-meAtA1ozI”,“kty”:“RSA”,“alg”:“RSA-OAEP”,“use”:“enc”,“n”:“twq8gt0w4XCWTKjmCdVNMXuYY4tQI0XsnyjoQj43sK8KRAupVV5pkSzHvypLjyuvXL4zrqhCVtBxQ47_EwCcWrBmEwPAEpPYWZGgub7CwP5F2AMN6ZC5HCdXSP9yMzc_fb8lHl-xKSBfnWDoVdM1o-N5yZMnavOHePg7a54hNh-oMshADMCumFoPoe-8fKGATWcB7OkB3dHZcmJ_dhE7BokFYJVgKzxWgiAaYZwwehPTE2pFxN7hXQebLbGXe65uiNKyYICHtswXRz2dkDvrKJI0BD_oR11JVQzyra_7ICBv8gKdygRSwneg-GZHQMQH6pYPsDDv3JyznZOgStnNPw”,“e”:“AQAB”,“x5c”:[“MIICmzCCAYMCBgGOvTFfOTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjQwNDA4MTAxMDEzWhcNMzQwNDA4MTAxMTUzWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3CryC3TDhcJZMqOYJ1U0xe5hji1AjReyfKOhCPjewrwpEC6lVXmmRLMe/KkuPK69cvjOuqEJW0HFDjv8TAJxasGYTA8ASk9hZkaC5vsLA/kXYAw3pkLkcJ1dI/3IzNz99vyUeX7EpIF+dYOhV0zWj43nJkydq84d4+DtrniE2H6gyyEAMwK6YWg+h77x8oYBNZwHs6QHd0dlyYn92ETsGiQVglWArPFaCIBphnDB6E9MTakXE3uFdB5stsZd7rm6I0rJggIe2zBdHPZ2QO+sokjQEP+hHXUlVDPKtr/sgIG/yAp3KBFLCd6D4ZkdAxAfqlg+wMO/cnLOdk6BK2c0/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFNM4mDaMrE5B46xHeMxfnY/gQNucikW3ZaeMITYkkZieDbBBOlgJ+A74j1fgSraMDdLkoMs+6zr3tFztcAuJxyysJ2VLNmpx4QnF1OAO8ibPx6+lYLBJn2jB3TqByj2aPedWz0flT0lSi7PPc5RUzXT+d03ggi/IMYZ8UHU4vAx/3RBw/0qYY5ILfLf1Fk1d7QTCdhj2wBR9j87/748fg1AfgXr/oi45noB1sNm6hd2nyVd77TOzuVUQpu3L22h66V2S4Cl8BnMIobzT297OHZa/BbfLnf2zxcV++LKjD9IYmxTCuQpXTbf7vzTkJuekyPoAeXkD7Z10ZiXnemJPAo=”],“x5t”:“1wU4g4C01FDNjL0XgGD8opNS2UE”,“x5t#S256”:“Z5Wl-NqlCccXEWrtOzcGO4S8bF2u3rY57SW4X-fQy1k”}]}

11

Hi @Tamilkumar,

the certificate file should look like:

-----BEGIN CERTIFICATE-----
MIIE9TCCA92gAwIBAgISA6jc3A/Kr3GrPpwtPm9MwEiuMA0GCSqGSIb3DQEBCwUA
...
...
...
...
...
...
...
OTg49+OexlFa7pHaBsFKIOhWLjc7v/afY1JMqhj9nu/B22sQEbS5sTWhexaBEvRW
bQ2sZvoRCqApVl4g6+oSEEpZNbRAZnSSTQ==
-----END CERTIFICATE-----

You can use the below command and copy as per above (staring with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE----- (including the values specified)).

openssl s_client -connect <keycloak>:8443

Alternatively, use your browser with https connection to your Keycloac and navigate to:

image

image
image1004×1045 32.1 KB

best,
mj