Hi!
I have three nodes, opensearch master, opensearch data and opensearch dasboard.
I configured certificates for each node the same way, CN=${HOSTNAME}
, but it doesn’t work with dashboards.
"message":"[ConnectionError]: Hostname/IP does not match certificate's altnames: IP: 172.29.39.179 is not in the cert's list: "}
I have disabled transport hostname verification on all nodes
plugins.security.ssl.transport.enforce_hostname_verification: false
There is distinguished names
plugins.security.authcz.admin_dn:
- 'CN=ADMIN,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.nodes_dn:
- 'CN=sa5uts-opm-1,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
- 'CN=sa5uts-opd-1,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
- 'CN=sa5uts-opk-1,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
How can I fix it? Thank you.
@mamol27 According to this the cluster forms between master and data, but only the dashboard is having issues, can you confirm?
If so, transport.enforce_hostname_verification: false
has nothing to do with dashboards as it doesn’t use the transport layer.
Can you share your opensearch-dashboards.yaml file?
Ensure you have the below line if you wish to disable the ssl verification:
elasticsearch.ssl.verificationMode: none
Yes, connection between master and data works fine, with certificates did by this instruction Generate certificates - OpenSearch documentation
sa5uts-opm-1:~ # curl -XGET https://172.29.39.179:9200/_cat/nodes?v -u 'admin:admin' --insecure
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
172.29.39.181 26 68 1 0.01 0.03 0.00 dir - sa5uts-opd-1
172.29.39.179 25 47 2 0.02 0.03 0.03 mr * sa5uts-opm-1
I want to use SSL verification but, I don’t want to have issues with [alt_names]. Or instruction without configuring /etc/ssl/openssl.cnf (or other file) for making each certificate.
opensearch_dashboards.yml
opensearch.hosts: ["https://172.29.39.179:9200", "https://172.29.39.182:9200"]
opensearch.ssl.verificationMode: full
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
server.ssl.enabled: true
server.ssl.certificate: /opt/opensearch-dashboards/config/sa5uts-opk-1.pem
server.ssl.key: /opt/opensearch-dashboards/config/sa5uts-opk-1-key.pem
opensearch.ssl.certificateAuthorities: [ "/opt/opensearch-dashboards/config/root-ca.pem"]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: true
@Anthony Thank you. I’ve found setting
opensearch.ssl.verificationMode: certificate
It works.