Not able to create opensearch cluster in ubuntu 22.04

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Trying to create opensearch cluster having version 2.15.0 in ubuntu 22.04

Describe the issue:

We are trying to create opensearch cluster In ubuntu 22.04 using self signed certs but we are not able to create it.

can u please help us detailed steps for creating opensearch cluster between two nodes

Configuration:

cluster.name: opensearch-cluster

------------------------------------ Node ------------------------------------
Use a descriptive name for the node:
node.name: TEST022

Add custom attributes to the node:
#node.attr.rack: r1
node.roles: [“master”,“data”,“ingest”]
#node.roles: [ data, cluster_manager ]

----------------------------------- Paths ------------------------------------
Path to directory where to store the data (separate multiple locations by comma):
path.data: /var/lib/opensearch

Path to log files:
path.logs: /var/log/opensearch

----------------------------------- Memory -----------------------------------
Lock the memory on startup:
bootstrap.memory_lock: true
network.host: 0.0.0.0
#network.bind_host: 10.102.200.246
#network.bind_host: [local, site]

Set a custom port for HTTP:
#http.port: 9200

For more information, consult the network module documentation.
--------------------------------- Discovery ----------------------------------
Pass an initial list of hosts to perform discovery when this node is started:
The default list of hosts is [“127.0.0.1”, “[::1]”]
discovery.seed_hosts: [“192.168.2.100”,“192.168.2.200”]
#discovery.type: single-node

Bootstrap the cluster using an initial set of cluster-manager-eligible nodes:
cluster.initial_master_nodes: [“TEST022”,“TEST023”]
plugins.security.authcz.admin_dn: [‘CN=kirk,OU=client,O=client,L=test,C=de’]
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-agent,.plugins-ml-config,.plugins-ml-connector,.plugins-ml-controller,.plugins-ml-model-group,.plugins-ml-model,.plugins-ml-task,.plugins-ml-conversation-meta,.plugins-ml-conversation-interactions,.plugins-ml-memory-meta,.plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,.opendistro-alerting-alert*,.opendistro-anomaly-results*,.opendistro-anomaly-detector*,.opendistro-anomaly-checkpoints,.opendistro-anomaly-detection-state,.opendistro-reports-,.opensearch-notifications-, .opensearch-notebooks,.opensearch-observability,.ql-datasources,.opendistro-asynchronous-search-response*,.replication-metadata-store,.opensearch-knn-models,.geospatial-ip2geo-data*,.plugins-flow-framework-config,.plugins-flow-framework-templates,.plugins-flow-framework-state]
node.max_local_storage_nodes: 2
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/cert/org.crt
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/cert/org.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/cert/org_ca.crt
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/cert/org.crt
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/cert/org.key
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/cert/org_ca.crt

Relevant Logs or Screenshots:

aused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication
at java.base/sun.security.validator.EndEntityChecker.checkTLSClient(EndEntityChecker.java:246) ~[?:?]
at java.base/sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:151) ~[?:?]
at java.base/sun.security.validator.Validator.validate(Validator.java:269) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:284) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:138) ~[?:?]
at io.netty.handler.ssl.EnhancingX509ExtendedTrustManager.checkClientTrusted(EnhancingX509ExtendedTrustManager.java:62) ~[netty-handler-4.1.110.Final.jar:4.1.110.Final]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkClientCerts(CertificateMessage.java:1241) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1167) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1144) ~[?:?]
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1273) ~[?:?]
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260) ~[?:?]
at java.base/java.security.AccessController.doPrivileged(AccessController.java:714) ~[?:?]
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205) ~[?:?]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1651) ~[netty-handler-4.1.110.Final.jar:4.1.110.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1497) ~[netty-handler-4.1.110.Final.jar:4.1.110.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1338) ~[netty-handler-4.1.110.Final.jar:4.1.110.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1387) ~[netty-handler-4.1.110.Final.jar:4.1.110.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[netty-codec-4.1.110.Final.jar:4.1.110.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[netty-codec-4.1.110.Final.jar:4.1.110.Final]
… 16 more

Hi @shubhammugale,

How did you generate your certificates?

have you tried following the instructions here:

best,
mj

Yes i have tried with these certs also but no lock

Could you check if your custom node’s certificate has both TLS server and client authentication?

Server nodes are acting like a client and server at the same time when they communicate between each other. According to the error, you’re missing TLS client authentication in Extended key usage.