Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Single-node OpenSearch in Docker container, version 2.18.0
Security demo configuration disabled (disabled running install_demo_configuration.sh)
The system is configured with TLS certificates (root, admin and a node certificate) according to the guidelines on Generating self-signed certificates - OpenSearch Documentation
Describe the issue:
The container starts and responds to a basic curl request:
% curl --insecure -u admin:admin -X GET https://localhost:9200
I connect to the container using % docker exec -it 9100 /bin/sh
I run the securityadmin.sh:
sh-5.2$ ./plugins/opensearch-security/tools/securityadmin.sh -cd ./config/opensearch-security -cacert ./config/root-ca.pem -cert ./config/admin.pem -key ./config/admin-key.pem -icl –nhnv
The securityadmin script gives several error messages about a mismatch in the certificate subject of the node certificate, claiming that ‘localhost’ does not match the subject of the certificate.
The host does not have any DNS entry. All certificates have been given a subject alternative name (SAN) with localhost IP.
% echo subjectAltName=IP:127.0.0.1 > node1.ext
Configuration:
MacOS Sequoia 15.1.1 on host
Docker Desktop 4.37.2
Opensearch single node in docker container
docker-compose file with certificates and custom opensearch.yml, config.yml
Relevant Logs or Screenshots:
From /bin/sh in the container (certificate subject details are x:ed):
sh-5.2$ ./plugins/opensearch-security/tools/securityadmin.sh -cd ./config/opensearch-security -cacert ./config/root-ca.pem -cert ./config/admin.pem -key ./config/admin-key.pem -icl –nhnv
Security Admin v7
Will connect to localhost:9200 … done
ERR: An unexpected IOException occured: Host name ‘localhost’ does not match the certificate subject provided by the peer (EMAILADDRESS=xxx, CN=x OU=x O=x L=x ST=xx, C=x)
Trace:
java.io.IOException: Host name ‘localhost’ does not match the certificate subject provided by the peer (EMAILADDRESS=xxx, CN=x OU=x O=x L=x ST=xx, C=x)
at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:1252)
at org.opensearch.client.RestClient.performRequest(RestClient.java:358)
at org.opensearch.client.RestClient.performRequest(RestClient.java:346)
at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:575)
at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:165)
I don’t understand why the certificate mismatch occurs. localhost has been specified in the SAN of the certificates.
Any suggestions on what might be the problem are highly appreciated.