Opensearch dashboards OIDC error

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:

im deploying opensearch and opensearch-dashboards using helm,
and when configuring SSO Openid with keycloak,
im facing this error:
“Error: failed when trying to obtain the endpoints from your IdP”
and : “Error : unable to get local issuer certificate”

Configuration:
opensearch_dashboards.yml:

opensearch:
    ssl:
        verificationMode: none
opensearch_security:
    auth:
        type: ["basicauth","openid"]
        multiple_auth_enabled: true
    openid:
        connect_url: "https://<keycloak_address>/realms/master/.well-known/openid-configuration"
        client_id: <id>
        client_secret: <secret>
        scope: "openid profile email"

in the opensearch deployment, the config of security plugin:
config.yml:

config:
  dynamic:
    basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
    openid_auth_domain:
        http_enabled:true
        enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
            type: "openid"
            challenge: false
            config:
                enable_ssl: true
                subject_key: preferred_username
                roles_key: roles
                openid_connect_url: "https://<keycloak_address>/realms/master/.well-known/openid-configuration"
                openid_connect_idp:
                    enable_ssl: true
                    pemtrustedcas_filepath: /usr/share/opensearch/config/root-ca/root-ca.pem
        authentication_backend:
            type: noop

Relevant Logs or Screenshots:
“ERROR: unable to get local issuer certificate”
“Error: failed when trying to obtain the endpoints from your idp”
and also:
status code 502
“summary”: “[63] services are unavailable”, “detail”: “see the status page for more information”…
“waiting for opensearch”

@idan17 Do you use official or custom OpenSearch’s helm charts?

Does the above certificate belong to keycloak or OpenSearch node?

hi,
im using the community official helm chart,
and the parameter your referring to is the same certificate of my node and the keycloak (same CA )

@idan17 So the keycloak is running with this CA cert then or it has signed the Keycloak’s certificate?
The certificate that Keycloak presents to OpenSearch must have Keycloak’s FQDN in its SAN.

they have the exact same certificate chain, and root.
my team also deployed the keycloak ,
and were using wildecard certificates so it is exactly the same ones

plus, i changed the portname paramater in the service for the opensearch values.yml to https,
and now instead of 502 im getting bad certificate error when accessing my opensearch server

What do you mean by that? Please share the exact place in the values.yml or share the full values.yml file.

service:
	httpPortName: https #instead of http in default

on the default configuration (http) -
i got an error on server saying " SSL Exception not an SSL/TLS record"

when i changed it as above, now my service run https:9200,
and im not getting the same error but a new one saying " BAD_certificate",
the thing is im using the same certificate as in my ingress:

ingress:
	enabled: true
	hosts:
		- my.opensearch.dns
	tls:
		- secretName: opensearch-tls
		  hosts:
			- my.opensearch.dns

secret name containing same node cert and key i put in
plugins.security.ssl.http,pemcert_filepath/pemkey_filepath

according to the opensearch docs for opensearch dashboards SSO,
i can configure certificates and keys for authenticating against my IDP like this -

opensearch:
    hosts: ["https://opensearch-cluster.master.opensearch.svc:9200"]
    ssl:
        verificationMode: none
        certificateAuthorities: /usr/share/opensearch-dashboards/config/certs/cert/<my-full-ca-chain>.pem
opensearch_security:
    auth:
        type: ["basicauth","openid"]
        multiple_auth_enabled: true
    openid:
        connect_url: "https://<keycloak_address>/realms/master/.well-known/openid-configuration"
        client_id: <id>
        client_secret: <secret>
        scope: "openid profile email"
        certificate: /usr/share/opensearch-dashboards/config/certs/cert/cert.pem
        private_key: /usr/share/opensearch-dashboards/config/certs/key/key.pem
server:
  ssl:
    enabled: true
    certificate: /usr/share/opensearch-dashboards/config/certs/cert/>my-full-ca-chain>.pem
    key: /usr/share/opensearch-dashboards/config/certs/key/key.pem

but when i do that i get an error validating the configuration that the key [opensearch_security].openid.certificate : “definition for this key is missing”
how does it makes sense if its the same as in the docs

@idan17 Could you share your opensearch.yml file?

I believe it should be

https://opensearch-cluster-master.opensearch.svc:9200

Did you deploy your OpenSearch cluster and OpenSearch Dashboards in the opensearch namespace?

the dashboards are in “opensearch-dashboards” namespace and the opensearch is in “opensearch” namespace,
my opensearch.yml file:

cluster.name: opensearch-cluster
network.host: 0.0.0.0
plugins:
  security:
    ssl:
      transport:
        pemcert_filepath: cert/<my-full-ca-chain>.pem
        pemkey_filepath: key/key.pem
        pemtrustedcas_filepath: root-ca/root-ca.pem # my root certificate of CA chain
        enforce_hostname_verification: false
      http:
        pemcert_filepath: cert/<my-full-ca-chain>.pem
        pemkey_filepath: key/key.pem
        pemtrustedcas_filepath: root-ca/root-ca.pem # my root certificate of CA chain
    allow_unsafe_democertificates: true
    allow_default_init_securityindex: true
    authcz:
      admin_dn:
        - CN=XX,OU=XX,O=XX,C=XX
        - CN=kirk,OU=client,O=client,L=test,C=de
    audit.type: internal_opensearch
    enable_snapshot_restore_privilege: true
    check_snapshot_restore_write_privileges: true
    restapi:
      roles_enabled: ["all_access", "security_rest_api_access"]
    system_indices:
      enabled: true
      indices:
        [
          ".opendistro-alerting-config",
          ".opendistro-alerting-alert*",
          ".opendistro-anomaly-results*",
          ".opendistro-anomaly-detector*",
          ".opendistro-anomaly-checkpoints",
          ".opendistro-anomaly-detection-state",
          ".opendistro-reports-*",
          ".opendistro-notifications-*",
          ".opendistro-notebooks",
          ".opendistro-asynchronous-search-response*",
        ]

thank you all guys i have finally managed to solve the error,
my problem was that i should have added the following parameters for my opensearch_dashbaords.yml:

opensearch.ssl.certificateAuthorities.
opensearch.requestHeadersAllowList: ["Authorization", "security_tenant"]
opensearch_security.openid.header: Authorization
opensearch_security.openid.trust_dynamic_headers: "true"

@idan17 Since it is relevant to your shared configuration, if you plan on using multi-tenancy, you may also want to change security_tenant to securitytenant in the opensearch.requestHeadersAllowList. Hopefully this helps you or someone else out in the future.