OpenDistro Nodes Certificate - OID

Is it must to create nodes certificate with OID in SAN Entry?
Why it is required?

I am landing into this issue.

[root@gcpxxx tools]# bash -x
++ hostname -f

  • sudo /usr/share/elasticsearch/plugins/opendistro_security/tools/ -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig -icl -key /etc/elasticsearch/host.key -cert /etc/elasticsearch/ServerCertificate.crt -cacert /etc/elasticsearch/ChainBundle2.crt -nhnv -h -dg --accept-red-cluster
    WARNING: JAVA_HOME not set, will use /bin/java
    Open Distro Security Admin v6
    Will connect to … done
    Unable to check whether cluster is sane: No user found for cluster:monitor/nodes/info
    Connected as,O=Kingkong,L=Houston,ST=Texas,C=US
    ERR: Seems you use a node certificate which is also an admin certificate
    That may have worked with older Open Distro Security versions but it indicates
    a configuration error and is therefore forbidden now.
    Diagnostic trace written to: /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin_diag_trace_2019-May-23_04-35-08.txt
    Contacting elasticsearch cluster ‘elasticsearch’ …
    Cannot retrieve cluster state due to: No user found for cluster:monitor/health. This is not an error, will keep on trying …
    Root cause: ElasticsearchSecurityException[No user found for cluster:monitor/health] (org.elasticsearch.ElasticsearchSecurityException/org.elasticsearch.ElasticsearchSecurityException)
    • Try running with -icl (but no -cl) and -nhnv (If that works you need to check your clustername as well as hostnames in your TLS certificates)
    • Make sure that your keystore or PEM certificate is a client certificate (not a node certificate) and configured properly in elasticsearch.yml
    • If this is not working, try running with --diagnose and see diagnose trace log file)
    • Add --accept-red-cluster to allow securityadmin to operate on a red cluster.



Any help here @Opendistro Team.

@Adil The error is complaining of the fact that node cert DN is the same as admin cert DN, which is not allowed. They need to be different. OID is not necessary (only optional).