Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Trying to create opensearch cluster having version 2.15.0 in ubuntu 22.04
Describe the issue:
We are trying to create opensearch cluster In ubuntu 22.04 using self signed certs but we are not able to create it.
can u please help us detailed steps for creating opensearch cluster between two nodes
Configuration:
cluster.name: opensearch-cluster
------------------------------------ Node ------------------------------------
Use a descriptive name for the node:
node.name: TEST022
Add custom attributes to the node:
#node.attr.rack: r1
node.roles: [“master”,“data”,“ingest”]
#node.roles: [ data, cluster_manager ]
----------------------------------- Paths ------------------------------------
Path to directory where to store the data (separate multiple locations by comma):
path.data: /var/lib/opensearch
Path to log files:
path.logs: /var/log/opensearch
----------------------------------- Memory -----------------------------------
Lock the memory on startup:
bootstrap.memory_lock: true
network.host: 0.0.0.0
#network.bind_host: 10.102.200.246
#network.bind_host: [local, site]
Set a custom port for HTTP:
#http.port: 9200
For more information, consult the network module documentation.
--------------------------------- Discovery ----------------------------------
Pass an initial list of hosts to perform discovery when this node is started:
The default list of hosts is [“127.0.0.1”, “[::1]”]
discovery.seed_hosts: [“192.168.2.100”,“192.168.2.200”]
#discovery.type: single-node
Bootstrap the cluster using an initial set of cluster-manager-eligible nodes:
cluster.initial_master_nodes: [“TEST022”,“TEST023”]
plugins.security.authcz.admin_dn: [‘CN=kirk,OU=client,O=client,L=test,C=de’]
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-agent,.plugins-ml-config,.plugins-ml-connector,.plugins-ml-controller,.plugins-ml-model-group,.plugins-ml-model,.plugins-ml-task,.plugins-ml-conversation-meta,.plugins-ml-conversation-interactions,.plugins-ml-memory-meta,.plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,.opendistro-alerting-alert*,.opendistro-anomaly-results*,.opendistro-anomaly-detector*,.opendistro-anomaly-checkpoints,.opendistro-anomaly-detection-state,.opendistro-reports-,.opensearch-notifications-, .opensearch-notebooks,.opensearch-observability,.ql-datasources,.opendistro-asynchronous-search-response*,.replication-metadata-store,.opensearch-knn-models,.geospatial-ip2geo-data*,.plugins-flow-framework-config,.plugins-flow-framework-templates,.plugins-flow-framework-state]
node.max_local_storage_nodes: 2
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/cert/org.crt
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/cert/org.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/cert/org_ca.crt
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/cert/org.crt
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/cert/org.key
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/cert/org_ca.crt
Relevant Logs or Screenshots:
aused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication
at java.base/sun.security.validator.EndEntityChecker.checkTLSClient(EndEntityChecker.java:246) ~[?:?]
at java.base/sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:151) ~[?:?]
at java.base/sun.security.validator.Validator.validate(Validator.java:269) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:284) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:138) ~[?:?]
at io.netty.handler.ssl.EnhancingX509ExtendedTrustManager.checkClientTrusted(EnhancingX509ExtendedTrustManager.java:62) ~[netty-handler-4.1.110.Final.jar:4.1.110.Final]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkClientCerts(CertificateMessage.java:1241) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1167) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1144) ~[?:?]
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1273) ~[?:?]
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260) ~[?:?]
at java.base/java.security.AccessController.doPrivileged(AccessController.java:714) ~[?:?]
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205) ~[?:?]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1651) ~[netty-handler-4.1.110.Final.jar:4.1.110.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1497) ~[netty-handler-4.1.110.Final.jar:4.1.110.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1338) ~[netty-handler-4.1.110.Final.jar:4.1.110.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1387) ~[netty-handler-4.1.110.Final.jar:4.1.110.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[netty-codec-4.1.110.Final.jar:4.1.110.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[netty-codec-4.1.110.Final.jar:4.1.110.Final]
… 16 more