How to change admin password with ssl disabled?

roy649 · January 21, 2024, 5:58pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

{
  "name" : "opensearch2",
  "cluster_name" : "opensearch",
  "cluster_uuid" : "7oGIJSAeSFyk84VYI-suvA",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.11.1",
    "build_type" : "deb",
    "build_hash" : "6b1986e964d440be9137eba1413015c31c5a7752",
    "build_date" : "2023-11-29T21:43:44.221253956Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Describe the issue:
I have ssl disabled in opensearch.yml:

plugins.security.ssl.http.enabled: false

I want to change the admin password from the default. It looks like to do that, I need to edit internal_users.yml and then run securityadmin.sh

sudo OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -f internal_users.yml -cacert /etc/opensearch/spi-tools-root-ca.pem -cert /etc/opensearch/spi-tools-admin.pem

it fails with:

ERR: An unexpected IOException occured: Unrecognized SSL message, plaintext connection?

I see in https://opensearch.org/docs/latest/security/configuration/security-admin/ it says:

securityadmin.sh requires that SSL/TLS transport is enabled on your opensearch cluster. In other words, make sure that the plugins.security.ssl.http.enabled: true is set in opensearch.yml before proceeding.

so I’m stuck. How do I change my admin password without having ssl enabled?

roy649 · January 21, 2024, 11:52pm

Ugh, it looks like this is Issue 1952.

raj1209 · January 22, 2024, 4:53am

Do you have a demo certificates generated in opensearch ?
You still can run the security admin.

if demo certificates generated in place, you can follow these steps

step 1: change plugins.security.ssl.http.enabled: true

step 2: Restart master node

step 3 : Run security admin script for internal users.

step 4 : Once this is done change the setting back to false plugins.security.ssl.http.enabled: false

Although its recomended to use with above setting enabled to true.

roy649 · January 22, 2024, 10:23pm

Hi Raj, Thanks for your help, I’m up and running now.

Topic		Replies	Views
Cannot change default password for Admin OS 1.2.3 Security configure	5	721	January 12, 2022
Query: To run securityadmin.sh when TLS is disabled on Rest layer Security	1	656	July 18, 2022
Cannot update admin password OpenSearch troubleshoot , index-management	1	301	February 29, 2024
How to update admin password in internal_user.yml file without losing the existing users OpenSearch troubleshoot , upgrade	4	1432	August 8, 2023
Unable to change admin user password while deploying OpenSearch Security	11	1568	August 9, 2023

How to change admin password with ssl disabled?

Related topics