rmstmg
September 25, 2023, 5:53pm
1
Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Describe the issue :
server.ssl.certificate: /etc/letsencrypt/live/opensearch.example.com/cert.pem
server.ssl.key: /etc/letsencrypt/live/opensearch.example.com/privkey.pem
opensearch.ssl.certificateAuthorities: [ "/etc/letsencrypt/live/opensearch.example.com/fullchain.pem" ]
But I am not able to browse OpenSearch Dashboard after configuring above certificates and restarting OSD. I am getting connection refused on opensearch.example.com:5601 . What could be the reason for the issue? I don’t see any issue on the opensearch log. Can I use the above certificate for dataprepper sink for OpenSearch?
Thanks in advance.
Eugene7
September 26, 2023, 2:40pm
2
Hi @rmstmg
Could you please share your opensearch_dashboards.yml , opensearch.yml and data-prepper-config.yaml files?
rmstmg
September 26, 2023, 3:48pm
3
Hello @Eugene7 , Please find the config details as below:
opensearch.yml:
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
network.host: 0.0.0.0
discovery.type: single-node
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/node1.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/node1.pem
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
- 'CN=opensearch.example.com,OU=IT,O=Example Ltd.,L=London,C=UK'
plugins.security.nodes_dn:
- 'CN=opensearch.example.com,OU=IT,O=Example Ltd.,L=London,C=UK'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
opensearch-dashboard.yml:
---
server.host: "0.0.0.0"
server.maxPayloadBytes: 104857600
opensearch.requestTimeout: 30000
opensearch.hosts: [https://<serveripaddress>:9200]
opensearch.ssl.verificationMode: none
opensearch.username: admin
opensearch.password: password here
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
server.ssl.enabled: true
server.ssl.certificate: /etc/letsencrypt/live/opensearch.example.com/cert.pem
server.ssl.key: /etc/letsencrypt/live/opensearch.example.com/privkey.pem
opensearch.ssl.certificateAuthorities: [ "/etc/letsencrypt/live/opensearch.example.com/fullchain.pem" ]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
opensearch_security.cookie.secure: false
dataprepper-config.yml:
log-pipeline:
source:
http:
ssl: false
sink:
- opensearch:
hosts: [ "https://opensearch.example.com:9200" ]
insecure: true
username: admin
password: password
index: my-logs-%{yyyy.MM.dd}
Your help is highly appreciated. Thanks.
Eugene7
September 28, 2023, 8:47am
4
Can you connect to the OpenSearch node with a curl command ? Are the node certificates for http and transport self-signed or from Let’s encrypt?