Installation TLS certificate issues

Greg1 · August 26, 2024, 12:06pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 2.16/Windows 10/Firefox

Describe the issue:
I’m installing Opensearch on Windows 10 and I’m struggling with SSL configuration. I receive folowing error:

Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130) ~[?:?]
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:365) ~[?:?]
        at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:287) ~[?:?]
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:204) ~[?:?]
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:736) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:691) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482) ~[?:?]
        at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679) ~[?:?]
        at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:308) ~[netty-handler-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1443) ~[netty-handler-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1336) ~[netty-handler-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1385) ~[netty-handler-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[netty-codec-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[netty-codec-4.1.111.Final.jar:4.1.111.Final]

Configuration:
Here is my configuration:

plugins.security.ssl.transport.pemcert_filepath: certs/node1.pem
plugins.security.ssl.transport.pemkey_filepath: certs/node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: certs/root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: certs/node1.pem
plugins.security.ssl.http.pemkey_filepath: certs/node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: certs/root-ca.pem
plugins.security.allow_default_init_securityindex: true

plugins.security.authcz.admin_dn:
  - "CN=A, OU=UNIT, O=ORG, L=TORONTO, ST=ONTARIO, C=CA"

cluster.name: prawo
node.name: "node1"
network.host: 0.0.0.0
discovery.seed_hosts: ["192.168.1.118", "192.168.1.248"]
cluster.initial_master_nodes: ["node1"]
node.master: true
node.data: true
node.ingest: true

Commands used to create certificates:

# Root CA
openssl genrsa -out root-ca-key.pem 2048
openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=root.dns.a-record" -out root-ca.pem -days 730
# Admin cert
openssl genrsa -out admin-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
openssl req -new -key admin-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=A" -out admin.csr
openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730
# Node cert 1
openssl genrsa -out node1-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1-key.pem
openssl req -new -key node1-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=192.168.1.118" -out node1.csr
echo 'subjectAltName=IP:192.168.1.118' > node1.ext
openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730 -extfile node1.ext
# Node cert 2
openssl genrsa -out node2-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node2-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node2-key.pem
openssl req -new -key node2-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=192.168.1.248" -out node2.csr
echo 'subjectAltName=IP:192.168.1.118' > node2.ext
openssl x509 -req -in node2.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node2.pem -days 730 -extfile node2.ext

Relevant Logs or Screenshots:

Please let me know how I can resolve this issue, tried different options many times but still getting the error.

During one try I got additional error:

[2024-08-26T14:05:28,394][WARN ][o.o.s.h.HTTPBasicAuthenticator] [node1] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2024-08-26T14:05:28,504][ERROR][o.o.h.n.s.SecureNetty4HttpServerTransport] [node1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130) ~[?:?]
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:365) ~[?:?]
        at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:287) ~[?:?]
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:204) ~[?:?]
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:736) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:691) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482) ~[?:?]
        at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679) ~[?:?]
        at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:308) ~[netty-handler-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1443) ~[netty-handler-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1336) ~[netty-handler-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1385) ~[netty-handler-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[netty-codec-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[netty-codec-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[netty-codec-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1407) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:918) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:689) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:652) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:994) [netty-common-4.1.111.Final.jar:4.1.111.Final]
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.111.Final.jar:4.1.111.Final]
        at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]

Eugene7 · August 27, 2024, 10:46am

Hi @Greg1 ,

According to the following documentation, Windows 10 is not supported for OpenSearch.

Greg1 · August 27, 2024, 12:03pm

Hi,
If needed, I can install it on Hyper-V but I believe it won’t solve the issue. However after multiple tries I managed to go further and got different error. I saw similar topic to this error but after applying changes still the same issue.
My node-1 is working ok with self signed certificates however when 2nd node tries to connect I get error:

[2024-08-27T13:53:38,503][ERROR][o.o.s.t.SecurityRequestHandler] [node-1] OpenSearchException[Transport client authentication no longer supported.]

Here is my node-1 configuration:

cluster.name: cluster
node.name: node-1
node.roles: [master, data, ingest]
network.host: 192.168.1.118
http.port: 9200
discovery.seed_hosts: ["192.168.1.118", "192.168.1.248", "192.168.1.57"]
cluster.initial_master_nodes: ["node-1"]
path.data: C:\opensearch\data
path.logs: C:\opensearch\logs
bootstrap.memory_lock: true

# SSL/TLS configuration for node-1
plugins.security.ssl.transport.pemcert_filepath: C:\opensearch\config\node-1.pem
plugins.security.ssl.transport.pemkey_filepath: C:\opensearch\config\node-1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: C:\opensearch\config\root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: C:\opensearch\config\node-1.pem
plugins.security.ssl.http.pemkey_filepath: C:\opensearch\config\node-1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: C:\opensearch\config\root-ca.pem

plugins.security.allow_default_init_securityindex: true

# Administrative DN
plugins.security.authcz.admin_dn:
  - "CN=192.168.1.118, OU=IT, O=prawo, L=Warsaw, C=PL"
plugins.security.nodes_dn:
  - "CN=192.168.1.118, OU=IT, O=prawo, L=Warsaw, C=PL"
  - "CN=192.168.1.248, OU=IT, O=prawo, L=Warsaw, C=PL"

Here is my node-2 configuration:

cluster.name: prawo
node.name: node-2
node.roles: [data, ingest]
network.host: 192.168.1.248
http.port: 9200
discovery.seed_hosts: ["192.168.1.118", "192.168.1.248", "192.168.1.57"]
cluster.initial_master_nodes: ["node-1", "node-2"]
path.data: C:\opensearch\data
path.logs: C:\opensearch\logs
bootstrap.memory_lock: true

# SSL/TLS configuration for node-2
plugins.security.ssl.transport.pemcert_filepath: C:\opensearch\config\node-2.pem
plugins.security.ssl.transport.pemkey_filepath: C:\opensearch\config\node-2-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: C:\opensearch\config\root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: C:\opensearch\config\node-2.pem
plugins.security.ssl.http.pemkey_filepath: C:\opensearch\config\node-2-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: C:\opensearch\config\root-ca.pem

plugins.security.allow_default_init_securityindex: true

# Administrative DN
plugins.security.authcz.admin_dn:
  - "CN=192.168.1.118, OU=IT, O=prawo, L=Warsaw, C=PL"
plugins.security.nodes_dn:
  - "CN=192.168.1.118, OU=IT, O=prawo, L=Warsaw, C=PL"
  - "CN=192.168.1.248, OU=IT, O=prawo, L=Warsaw, C=PL"

Steps to generate certificates (same steps for both so pasting only for node-1

openssl genpkey -algorithm RSA -out root-ca-key.pem -aes256
openssl req -x509 -new -nodes -key root-ca-key.pem -sha256 -days 3650 -out root-ca.pem -subj "/C=PL/ST=Masovian/L=Warsaw/O=prawo/OU=IT/CN=prawo-root-ca"

openssl-san.cnf

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
C  = PL
ST = Masovian
L  = Warsaw
O  = prawo
OU = IT
CN = 192.168.1.118

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
IP.1 = 192.168.1.118
DNS.1 = node-1

openssl req -new -key node-1-key.pem -out node-1.csr -config C:\opensearch\config\openssl-san.cnf
openssl x509 -req -in node-1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -out node-1.pem -days 365 -sha256 -extfile C:\opensearch\config\openssl-san.cnf -extensions req_ext

Can you see any error in my configuration which is causing:
[node-1] OpenSearchException[Transport client authentication no longer supported.]

Thank you for your help. If needed I can provide more details.

merlinz01 · August 27, 2024, 3:48pm

Does the setting below match the DN of the node certificates?

Security settings - OpenSearch Documentation

plugins.security.nodes_dn (Static): Specifies a list of distinguished names (DNs) that denote the other nodes in the cluster. This setting supports wildcards and regular expressions. […] If this setting is not configured correctly, the cluster will fail to form as the nodes will not be able to trust each other and will result in the following error: Transport client authentication no longer supported.

Greg1 · August 28, 2024, 7:08am

Thanks I have tried:

plugins.security.nodes_dn:
  - "CN=*, OU=IT, O=prawo, L=Warsaw, C=PL"

but still getting the same error. I’ve done this configuration on both nodes.
How should I configure it to accept any node. This is dev internal playground I don’t need high level security.
I’ve tried to use it without SSL and security plugin enabled but then I was not able to log in with default username and password…

merlinz01 · August 28, 2024, 4:36pm

If you don’t need anything specific for the node certificates, it probably would be easiest to run plugins/opensearch-security/tools/install_demo_configuration.bat, which generates (insecure) demo certificates and configures OpenSearch to use them.

Eugene7 · August 29, 2024, 10:34am

Hi @Greg1 ,

Could you please remove the spaces after the comas? It should be

plugins.security.nodes_dn:
  - "CN=*,OU=IT,O=prawo,L=Warsaw,C=PL"

plugins.security.authcz.admin_dn:
  - "CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA"

Topic		Replies	Views
Installing tls ssl certificates Security troubleshoot , configure	3	536	June 27, 2023
Opensearch.Java OpenSearch install	0	420	March 14, 2023
Error bad certificate : elasticsearch Security	2	3054	September 8, 2021
OpenSearch Security not initialized.opensearch .\| [ERROR][o.o.s.s.t.SecuritySSLNettyTransport] [26275-7070770-stage-ipm-mdmp.ibm.com] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal error Security discuss , troubleshoot , configure , install , security-issue	6	883	August 15, 2023
Error in OpenSearch SSL Configuration Security configure	3	1923	March 25, 2022

Installation TLS certificate issues

Related Topics