I have tried with opensearch.hosts instead opensearch.url and it is working fine.
However, till now I have not been redirected to openid connect authentication for dashboard.
@sabil The error was caused by an incorrect entry in docker-compose.yml.
You have:
environment:
- 'OPENSEARCH_HOSTS=["https://localhost:9200"]'
You must have the below:
environment:
OPENSEARCH_HOSTS: https://opensearch-node1:9200
Also, opensearch.url expects OpenSearch URL and not Dashboards. (https://opensearch-node1:9200)
Could you share the output of the following command?
docker exec -it opensearch-dashboards cat config/opensearch_dashboards.yml
In opensearch_dashboards.yml you’re missing opensearch_security.openid.base_redirect_url.
The value must point either to OpenSearch Dashboards or a reverse proxy address.
I’ve found these in your original config. Do you use a reverse proxy?
- "SERVER_BASEPATH=/opensearch"
- "SERVER_REWRITEBASEPATH=true"
@sabil Thanks for the confirmation. In that case, you should configure it as below in opensearch_dashboards.yml.
opensearch_security.openid.base_redirect_url: "https://abc.com"
server.basePath: "/opensearch"
server.rewriteBasePath: true
You’re still getting redirects to localhost in OpenSearch Dashboards logs. I suspect that you’ve configured it in your IDP. Verify the OpenID config in your IDP. All URLs should point to your reverse proxy - https://abc.com/.
Avoid using localhost in any configs.
Hello @pablo,
I found these errors as well…
opensearch-node1 | [2022-10-11T14:09:44,943][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [opensearch-node1] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:
opensearch-node1 | io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:
When I run the curl with https I am getting response.
curl --insecure -u admin:admin -XGET https://localhost:9200
I am not sure where things gone wrong.
Thanks.
@sabil Maybe your reverse proxy or IDP client has localhost in the configuration.
Where did you execute that curl command? Was it in OpenSearch container or OpenSearch Dashboards?
Hey @pablo ,
Thank you for your response.
curl command I am executing on the host on which my containers running.
In opensearch dashobards we have opensearch.hosts = opensearch-node1:9200.
Yes, I was using “localhost” in my reverse proxy settings. I have replaced with the URL which I am using for accessing the dashboard. Apart from that nowhere the “localhost” being used.
Just now I have brought up the docker compose file. Hoever, still getting the same message that dashboard is running on https://localhost:5601.
Kindly suggest what else can be checked.
Thank you once again for your assistance.
@sabil This is because you didn’t set server.host in the opensearch_dashboards.yml file.
If not set, the default is localhost.
Add the following to your opensearch_dashboards.yml
server.host: "0.0.0.0"
Hello @pablo
Thank you so much for your response.
I have updated following entry in the opensearch_dashboards.yml file.
server.host: "0.0.0.0"
Now I can see opensearch-dashbaords is running on 0.0.0.0 instead of localhost.
opensearch-dashboards | {"type":"log","@timestamp":"2022-10-18T18:52:21Z","tags":["listening","info"],"pid":1,"message":"Server running at http://0.0.0.0:5601/opensearch"}
opensearch-dashboards | {"type":"log","@timestamp":"2022-10-18T18:52:21Z","tags":["info","http","server","OpenSearchDashboards"],"pid":1,"message":"http server running at http://0.0.0.0:5601/opensearch"}
However, still not able to access the dashboard as I am getting error that page not found.
In the revers proxy configuration, I tried both the options.
http:// 127.0.0.1:5601/opensearch
http://domailurl.com/opensearch
Still no luck. 
Kindly suggest.
Hello @pablo
I would like to thank you very much for all your support and help.
Now I am we are getting redirected to OpenID connect url.
However, still getting the error message
invalid paramenter: redirect_uri
any idea/suggestion on this error message.
Thanks.
@sabil This could be caused by your IDP or the value of opensearch_security.openid.base_redirect_url in opensearch_dashboards.yml. It must be pointing to your reverse proxy address and be able to resolve its FQDN.
"https://<reverse_proxy_address>/opensearch"
Could you confirm that opensearch_security.openid.base_redirect_url is also pointing reverse proxy address?
Hello @pablo ,
Yes, I am using the url of revers proxy in opnesearch_dashboard.yml which we are using for accessing the application.
opensearch_security.openid.base_redirect_url: "https://reversproxy.com/opensearch"
Thanks.
@sabil This is incorrect.
opensearch_security.openid.base_redirect_url: "https://reversproxy.com/opensearch"
Use the below instead as I suggested in my previous posts.
opensearch_security.openid.base_redirect_url: "https://reversproxy.com"
server.basePath: "/opensearch"
server.rewriteBasePath: true
You must set https://reversproxy.com/opensearch inside the IDP client configuration.
Thank you for your response.
I have tried with the suggestion which you gave me earlier. However, no luck.
opensearch_security.openid.base_redirect_url: "https://reversproxy.com"
server.basePath: "/opensearch"
server.rewriteBasePath: true
I am not able to get this one. where should I update this information in IDP client.
You must set
https://reversproxy.com/opensearch inside the IDP client configuration.
Thanks
Hey @pablo
Thank you for your suggestion.
I have updated in the IDP configuration and now it is going on IDP portal and asking for the password.
However, still getting following error message.
X509 certificate authentications failed.
Any clues on this highly appreciated…
Thanks,
Now what I have done is I have created a self signed admin certificate.
We have used the below documentation to generate the self signed certificates.
Generate certificates - OpenSearch documentation
we have not generated nodes certificate as it is an optional.
Just wanted to know where I can use the admin certificate so that we can access the dashboard using idp authentication. as currently I am getting an error message that X509 certificate authentication's failed.
Kindly suggest how we can use our self signed admin certificates.
Do we need to use the below environment variables to define the admin certificate ?
- plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/kirk.pem
- plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/kirk-key.pem
- plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
- plugins.security.ssl.transport.enforce_hostname_verification=false
- plugins.security.ssl.http.enabled=true
- plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/kirk.pem
- plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/kirk-key.pem
- plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
Thank you so much in advance.
@sabil When do you get that error X509 certificate authentications failed.?
Is it after authentication in the IDP?
Hey @pablo
Once I access the opensearch-dashboards using a reverse proxy URL, It is being redirected to IDP and there it is asking for credentials.
On that page only I am getting following error message.
X509 certificate authentication's failed.
Invalid user
Thanks.