One node test cluster

opensearchforme · July 9, 2025, 6:12pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
3.1

Describe the issue:
opensearch cluster starts up if I setup
plugins.security.disabled: true

once I enable that and add following. my cluster starts up. daemon runs but can’t connect to cluster as I didn’t setup admin user yet.

plugins.security.ssl.http.enabled: false
plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/ca_config/node_key.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/ca_config/node.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/ca_config/root_ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false

Error I get is
org.opensearch.index.IndexNotFoundException: no such index [.opendistro_security]

Hence I try to run securityadmin.bash but it fails

/usr/share/opensearch/plugins/opensearch-security/tools# ./securityadmin.sh -cd ../securityconfig/ -icl -key /etc/opensearch/ca_config/admin_key.pem -cert /etc/opensearch/ca_config/admin.pem -cacert /etc/opensearch/ca_config/root_ca.pem -h osdev01 -p 9200 -nhnv

output of above

Security Admin v7
Will connect to osdev01:9200 ... done
ERR: An unexpected IOException occured: Unrecognized SSL message, plaintext connection?
Trace:
java.io.IOException: Unrecognized SSL message, plaintext connection?

I am going to use TLS for internode connection. but I don’t want to use https for now.

Configuration:

Relevant Logs or Screenshots:

pablo · July 9, 2025, 8:06pm

opensearchforme:

Security Admin v7
Will connect to osdev01:9200 ... done
ERR: An unexpected IOException occured: Unrecognized SSL message, plaintext connection?
Trace:
java.io.IOException: Unrecognized SSL message, plaintext connection?

This is the expected response. The securityadmin.sh script is using certificate authentication to connect with the OpenSearch node and expects that port 9200 has SSL enabled.

As per your config, you’ve disabled SSL on port 9200.

Regarding the following error.

You’re missing the following line in your opensearch.yml

plugins.security.allow_default_init_securityindex: true

This option will initialize the OpenSearch security index with configuration files located in /usr/share/opensearch/config/opensearch-security.

If you’d like to use custom certificates you should also set the following option in opensearch.yml

plugins.security.allow_unsafe_democertificates: false

and disable Demo configuration by setting this env variable

DISABLE_INSTALL_DEMO_CONFIG=true"

Your updated opensearch.yml with a custom node certificate.

plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/ca_config/node_key.pem
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/ca_config/node.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/ca_config/root_ca.pem
plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/ca_config/node_key.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/ca_config/node.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/ca_config/root_ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.allow_default_init_securityindex: true
plugins.security.allow_unsafe_democertificates: false

opensearchforme · July 10, 2025, 6:04pm

This is great pablo. I did what you said.
only remove ssl.http as I do not want that setup. basically this is on-prem setup and internode communication is using certificate but internal client can connect http.
for opensearch-dashbaord I will setup https

remove this
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/ca_config/node_key.pem
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/ca_config/node.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/ca_config/root_ca.pem
plugins.security.ssl.transport.enabled: true

Kept this.
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/ca_config/node_key.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/ca_config/node.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/ca_config/root_ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.allow_default_init_securityindex: true
plugins.security.allow_unsafe_democertificates: false

added this
# Disable https
plugins.security.ssl.http.enabled: false
plugins.security.allow_default_init_securityindex: true

# disable demo certi, and use custom cert
plugins.security.allow_unsafe_democertificates: false

now to the opensearch-dashoards setup

Topic		Replies	Views
Have a problem to enable security OpenSearch discuss , troubleshoot , configure , install	6	1622	November 28, 2023
SSL doesn't work OpenSearch	26	960	February 20, 2026
"Transport Client Authentication no longer supported" error when deploying cluster with security plugin enabled Security troubleshoot	19	11243	October 31, 2024
When installing opensearch, am getting error like failed to load plugin class for securtiy plugin Security	22	11041	January 29, 2024
Transport Client Authentication Error Security troubleshoot , configure	41	697	September 2, 2024

One node test cluster

Related topics