OpenSearch 3.5 with custom TLS works via browser and curl but ODBC driver fails to connect (no response from server version query)

OpenSearch
1

Hello,

I am setting up OpenSearch 3.5.0 (RPM installation) on AlmaLinux and I am having an issue connecting via the OpenSearch ODBC driver for Windows.

Environment:

  • OpenSearch version: 3.5.0 (RPM)

  • OS: AlmaLinux

  • Single-node cluster

  • Security plugin enabled

  • Custom TLS certificates generated manually with OpenSSL

  • ODBC Driver: OpenSearch ODBC (Windows) 1.05.00.00

    What I did:

  1. Installed OpenSearch 3.5.0 via RPM.
  2. Generated my own Root CA:
  • root-ca.pem
  • root-ca-key.pem
  1. Generated:
  • admin certificate (admin.pem, admin-key.pem)
  • node certificate (node.pem, node-key.pem)
  1. The node certificate includes SAN:
  • DNS: nifi.wortev.local
  • IP: 172.26.55.3
  1. Configured opensearch.yml:

plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/node.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/node-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem

plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/node.pem
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/node-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem

plugins.security.authcz.admin_dn:

  • “CN=admin,OU=IT,O=Wortev,L=CDMX,ST=CDMX,C=MX”

plugins.security.nodes_dn:

  • “CN=nifi.wortev.local,OU=IT,O=Wortev,L=CDMX,ST=CDMX,C=MX”
  1. Ran securityadmin.sh successfully.

Verification:

  • systemctl status opensearch → active (running)
  • curl from server:
    curl --cacert root-ca.pem -u admin “172.26.55.3:9200” → works
  • From Windows:
  • Browser nifi.wortev.local:9200→ works
  • Invoke-WebRequest with credentials → works

Problem:

The OpenSearch ODBC driver fails with:

“Failed to receive response from server version query.
Received no response from url: ”

Question:

Is there any additional TLS configuration required for the OpenSearch ODBC driver when using a custom self-signed CA?

Do I need to explicitly configure sslrootcert or import the root CA into Windows certificate store for the ODBC driver?

Any guidance would be appreciated.

driver ODBC

image
image583×598 61.8 KB

log odbc

odbcapi30.[SQLFreeHandle]203: entering
connection[OPENSEARCHAPI_FreeConnect]191: entering…hdbc=00000148CF96BC20
connection[CC_Destructor]298: entering self=00000148CF96BC20
connection[CC_cleanup]397: entering self=00000148CF96BC20
connection[CC_set_error_statements]537: entering self=00000148CF96BC20
connection[CC_log_error]625: CONN ERROR: func=CC_cleanup, desc=‘’, errnum=1, errmsg=‘Connection not open’
connection[CC_log_error]628: ------------------------------------------------------------
connection[CC_log_error]631: henv=00000148CF9D0410, conn=00000148CF96BC20, status=0, num_stmts=16
connection[CC_log_error]633: opensearchconn=0000000000000000, stmts=00000148CAB75D30, lobj_type=-999
connection[CC_cleanup]412: after LIBOPENSEARCH_disconnect
dlg_specif[CC_conninfo_init]445: entering opt=1
connection[CC_cleanup]478: leaving
connection[CC_Destructor]305: after CC_Cleanup
connection[CC_Destructor]316: after free statement holders
connection[CC_Destructor]327: leaving
connection[OPENSEARCHAPI_FreeConnect]209: leaving…
odbcapi30.[SQLFreeHandle]203: entering
environ.c[OPENSEARCHAPI_FreeEnv]53: entering env=00000148CF9D0410
environ.c[EN_Destructor]426: entering self=00000148CF9D0410
environ.c[EN_Destructor]449: clearing conns count=128
environ.c[EN_Destructor]461: leaving rv=1
environ.c[OPENSEARCHAPI_FreeEnv]56: ok
opensearch[DllMain]103: DETACHING sqlodbc.dll
mylog.c[logs_on_off]218: mylog_on=7 qlog_on=7
start_logging:Global.debug&commlog=7&7
mylog.c[InitializeLogging]517: Log Output Dir: C:
opensearch[DllMain]96: exe name=odbcad32
dlg_specif[CC_conninfo_init]445: entering opt=2
dlg_specif[CC_conninfo_init]445: entering opt=3
dlg_specif[getDSNinfo]212: drivername=opensearchodbc
odbcapi30.[SQLAllocHandle]17: entering
environ.c[OPENSEARCHAPI_AllocEnv]28: entering
environ.c[OPENSEARCHAPI_AllocEnv]44: leaving phenv=00000148CABCEAC0
odbcapi30.[SQLSetEnvAttr]415: entering att=200,3
odbcapi30.[SQLAllocHandle]17: entering
connection[OPENSEARCHAPI_AllocConnect]47: entering…
connection[OPENSEARCHAPI_AllocConnect]50: **** henv = 00000148CABCEAC0, conn = 00000148CF9299F0
environ.c[EN_add_connection]486: entering self = 00000148CABCEAC0, conn = 00000148CF9299F0
environ.c[EN_add_connection]515: added at 0, conn->henv = 00000148CABCEAC0, conns[0]->henv = 00000148CABCEAC0
odbcapiw.c[SQLDriverConnectW]102: entering
win_unicod[ucs2_to_utf8]110: 0000001B6E549C40 ilen=-3 newlen=232 misc.c[make_string]99: malloc size=232
misc.c[make_string]101: str=00000148CABA0140
dlg_specif[CC_conninfo_init]445: entering opt=2
drvconn.c[dconn_get_attributes]209: our_connect_string = ‘DRIVER=opensearchodbc;server=nifi.wortev.local;database=OpenSearch;port=9200;UID=admin;PWD=xxxxxxxxxxxxxxxxxxxx;auth=BASIC;region=;TunnelHost=;useSSL=1;hostnameVerification=0;logLevel=3;logOutput=C:;responseTimeout=60;fetchSize=-1;’
dlg_specif[getDSNinfo]212: drivername=opensearchodbc
drvconn.c[dconn_get_attributes]209: our_connect_string = ‘DRIVER=opensearchodbc;server=nifi.wortev.local;database=OpenSearch;port=9200;UID=admin;PWD=xxxxxxxxxxxxxxxxxxxx;auth=BASIC;region=;TunnelHost=;useSSL=1;hostnameVerification=0;logLevel=3;logOutput=C:;responseTimeout=60;fetchSize=-1;’
dlg_specif[copyConnAttributes]132: key=‘DRIVER’ value=‘opensearchodbc’
dlg_specif[copyConnAttributes]132: key=‘server’ value=‘nifi.wortev.local’
dlg_specif[copyConnAttributes]132: key=‘database’ value=‘OpenSearch’ not found
dlg_specif[copyConnAttributes]132: key=‘port’ value=‘9200’
dlg_specif[copyConnAttributes]132: key=‘UID’ value=‘admin’
dlg_specif[copyConnAttributes]106: key=‘PWD’ value=‘xxxxxxxx’
dlg_specif[copyConnAttributes]132: key=‘auth’ value=‘BASIC’
dlg_specif[copyConnAttributes]132: key=‘region’ value=‘’
dlg_specif[copyConnAttributes]132: key=‘TunnelHost’ value=‘’
dlg_specif[copyConnAttributes]132: key=‘useSSL’ value=‘1’
dlg_specif[copyConnAttributes]132: key=‘hostnameVerification’ value=‘0’
dlg_specif[copyConnAttributes]132: key=‘logLevel’ value=‘3’
dlg_specif[copyConnAttributes]132: key=‘logOutput’ value=‘C:’
dlg_specif[copyConnAttributes]132: key=‘responseTimeout’ value=‘60’
dlg_specif[copyConnAttributes]132: key=‘fetchSize’ value=’-1’
mylog.c[logs_on_off]218: mylog_on=7 qlog_on=7
mylog.c[logs_on_off]218: mylog_on=7 qlog_on=7
start_logging:Global.debug&commlog=7&7
mylog.c[InitializeLogging]517: Log Output Dir: C:
opensearch[OpenSearchCommunication::LogMsg]841: Verifying connection options.
opensearch[OpenSearchCommunication::LogMsg]841: Required connection option are valid.
opensearch[OpenSearchCommunication::LogMsg]841: Starting DB connection.
opensearch[OpenSearchCommunication::LogMsg]841: Attempting to establish DB connection.
opensearch[OpenSearchCommunication::LogMsg]841: Failed to receive response from server version query. Received no response from url: https:// nifi.wortev.local:9200
opensearch[OpenSearchCommunication::LogMsg]841: Failed to receive response from server version query. Received no response from url: https:// nifi.wortev.local:9200
opensearch[OpenSearchCommunication::LogMsg]841: Failed to receive response from server version query. Received no response from url: https:// nifi.wortev.local:9200
opensearch[OpenSearchCommunication::LogMsg]841: Dropping DB connection.
connection[CC_set_error_statements]537: entering self=00000148CF9299F0
connection[CC_log_error]625: CONN ERROR: func=LIBOPENSEARCH_connect, desc=‘’, errnum=202, errmsg=‘Connection error: [OpenSearch][SQL ODBC Driver][SQL Plugin] Connection error: Failed to receive response from server version query. Received no response from url: https:// nifi.wortev.local:9200’
connection[CC_log_error]628: ------------------------------------------------------------
connection[CC_log_error]631: henv=00000148CABCEAC0, conn=00000148CF9299F0, status=0, num_stmts=16
connection[CC_log_error]633: opensearchconn=0000000000000000, stmts=00000148CAB75AF0, lobj_type=-999
connection[CC_log_error]625: CONN ERROR: func=OPENSEARCHAPI_DriverConnect, desc=‘Error from CC_Connect’, errnum=202, errmsg=‘Connection error: [OpenSearch][SQL ODBC Driver][SQL Plugin] Connection error: Failed to receive response from server version query. Received no response from url: https:// nifi.wortev.local:9200’
connection[CC_log_error]628: ------------------------------------------------------------
connection[CC_log_error]631: henv=00000148CABCEAC0, conn=00000148CF9299F0, status=0, num_stmts=16
connection[CC_log_error]633: opensearchconn=0000000000000000, stmts=00000148CAB75AF0, lobj_type=-999
odbcapi30w[SQLGetDiagRecW]181: entering
opensearch[OPENSEARCHAPI_GetDiagRec]23: entering type=2 rec=1
environ.c[OPENSEARCHAPI_ConnectError]212: entering hdbc=00000148CF9299F0 <512>
connection[CC_get_error]602: entering
connection[CC_get_error]614: leaving
environ.c[OPENSEARCHAPI_ConnectError]229: CC_get_error: status = 202, msg = #Connection error: [OpenSearch][SQL ODBC Driver][SQL Plugin] Connection error: Failed to receive response from server version query. Received no response from url: https:// nifi.wortev.local:9200#
environ.c[OPENSEARCHAPI_ConnectError]316: szSqlState = ‘08001’,len=193, szError=‘Connection error: [OpenSearch][SQL ODBC Driver][SQL Plugin] Connection error: Failed to receive response from server version query. Received no response from url: https:// nifi.wortev.local:9200’
opensearch[OPENSEARCHAPI_GetDiagRec]44: leaving 0
win_unicod[utf8_to_ucs2_lf]227: ilen=193 bufcount=512 ocount=193

2

@alex189 You would need to import your CA into the Windows system certificate store. ODBC should pick it up from there. Also the Host in the DSN needs to match the SAN exactly, I’d recommend to setting HostnameVerification=0 to ensure everything else is working properly before enabling the HostnameVerification.

3

Thank you for your guidance.

I have verified the following:

  1. Root CA import
    My custom root-ca.pem was imported into the Windows “Trusted Root Certification Authorities” (Local Computer).

  2. SAN verification
    The node certificate contains:

DNS: nifi.wortev.local
IP: 172.26.55.3

DSN configuration:
server=nifi.wortev.local
port=9200

No https prefix and no trailing slash.

  1. Hostname verification test
    I tested with:
    hostnameVerification=0

The error remains:

“Failed to receive response from server version query.
Received no response from url: https:// nifi.wortev.local:9200”

  1. TLS and connectivity validation

From Windows:

Invoke-WebRequest https:// nifi.wortev.local:9200 -Credential (Get-Credential)

Returns HTTP 200 and cluster information successfully.

From browser:
https:// nifi.wortev.local:9200 works.

  1. SQL plugin validation

From the server:

curl --cacert /etc/opensearch/root-ca.pem
-u admin:OpenSearch_2026!
-X POST https:// nifi.wortev.local:9200/_plugins/_sql
-H “Content-Type: application/json”
-d ‘{“query”:“SELECT 1”}’

Returns:

{
“schema”:[{“name”:“1”,“type”:“integer”}],
“datarows”:[[1]],
“status”:200
}

  1. Security role validation

curl --cacert /etc/opensearch/root-ca.pem
-u admin:OpenSearch_2026!

https://nifi.wortev.local:9200/_plugins/_security/api/account

Returns:

roles: [“own_index”,“all_access”]

  1. SQL endpoint exists

Accessing:

https://nifi.wortev.local:9200/_plugins/_sql

Returns HTTP 405 (method not allowed), which confirms the endpoint exists and is protected correctly.

Environment:
OpenSearch: 3.5.0 (RPM)
ODBC Driver installed: opensearch-sql-odbc-driver-64-bit-1.5.0.0-Windows.msi

At this point, since:

  • TLS works
  • SQL endpoint works
  • Roles are correct
  • HostnameVerification=0 does not change behavior

I suspect this may be a compatibility issue between OpenSearch 3.5.0 and ODBC driver 1.5.0.0.

Is there a recommended ODBC driver version for OpenSearch 3.x?