Host name mismatch in certificates when running securityadmin.sh

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Single-node OpenSearch in Docker container, version 2.18.0

Security demo configuration disabled (disabled running install_demo_configuration.sh)

The system is configured with TLS certificates (root, admin and a node certificate) according to the guidelines on Generating self-signed certificates - OpenSearch Documentation

Describe the issue:

The container starts and responds to a basic curl request:
% curl --insecure -u admin:admin -X GET https://localhost:9200

I connect to the container using % docker exec -it 9100 /bin/sh

I run the securityadmin.sh:

sh-5.2$ ./plugins/opensearch-security/tools/securityadmin.sh -cd ./config/opensearch-security -cacert ./config/root-ca.pem -cert ./config/admin.pem -key ./config/admin-key.pem -icl –nhnv

The securityadmin script gives several error messages about a mismatch in the certificate subject of the node certificate, claiming that ‘localhost’ does not match the subject of the certificate.

The host does not have any DNS entry. All certificates have been given a subject alternative name (SAN) with localhost IP.

% echo subjectAltName=IP:127.0.0.1 > node1.ext

Configuration:

MacOS Sequoia 15.1.1 on host
Docker Desktop 4.37.2

Opensearch single node in docker container
docker-compose file with certificates and custom opensearch.yml, config.yml

Relevant Logs or Screenshots:

From /bin/sh in the container (certificate subject details are x:ed):

sh-5.2$ ./plugins/opensearch-security/tools/securityadmin.sh -cd ./config/opensearch-security -cacert ./config/root-ca.pem -cert ./config/admin.pem -key ./config/admin-key.pem -icl –nhnv

Security Admin v7
Will connect to localhost:9200 … done
ERR: An unexpected IOException occured: Host name ‘localhost’ does not match the certificate subject provided by the peer (EMAILADDRESS=xxx, CN=x OU=x O=x L=x ST=xx, C=x)
Trace:
java.io.IOException: Host name ‘localhost’ does not match the certificate subject provided by the peer (EMAILADDRESS=xxx, CN=x OU=x O=x L=x ST=xx, C=x)
at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:1252)
at org.opensearch.client.RestClient.performRequest(RestClient.java:358)
at org.opensearch.client.RestClient.performRequest(RestClient.java:346)
at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:575)
at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:165)


I don’t understand why the certificate mismatch occurs. localhost has been specified in the SAN of the certificates.

Any suggestions on what might be the problem are highly appreciated.

@lightbulb1 localhost is not the same as 127.0.0.1
When you set SSL connection, IP address and DNS name matters. If you still want to use localhost then you literally must have localhost in SAN

            X509v3 Subject Alternative Name:
                DNS:node1.example.com, DNS:localhost

Alternatively, you can use the -h <OpenSearch_IP_or_FQDN> option to specify the OpenSearch hostname.