Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch → 2.16.0
Dashboard → 2.3.0
Describe the issue:
OpenSearch cluster is not working after swtich from opensearch self-generated certificates to SSL certificates.
It was working perfectly fine using the default opensearch self-generated certificates, with the demo files and http enable for transport nodes. The issue started once I created my own ssl certificates and remove the http part from the transport nodes.
I’ve been following the documentation from (opensearch-k8s-operator/docs/userguide/main.md at main · opensearch-project/opensearch-k8s-operator · GitHub), I’ve created my own ssl certificates following the documentation.
I’ve created my own tls secrets using ssl certificates (one for admin and one for all the transport nodes), also my own admin-secret for a custom username and password and security config secret, including all the files but updating the admin hash with the new password.
One thing I noticed is that even though I provided the custom adminsecret, opensearch is creating a new one (but with the same values I provided).
The security pod is returning an error stating that “Waiting to connect to the cluster” as the screenshot below
I’m multiple errors from all nodes, as the ones below
{“type”:“log”,“@timestamp”:“2024-09-25T21:14:21Z”,“tags”:[“warning”,“savedobjects-service”],“pid”:1,“message”:“Unable to connect to OpenSearch. Error: Given the configuration, the ConnectionPool was not able to find a usable Connection for this request.”}
{“type”:“log”,“@timestamp”:“2024-09-25T21:18:08Z”,“tags”:[“error”,“opensearch”,“data”],“pid”:1,“message”:“[ConnectionError]: write EPROTO 139884884653952:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:…/deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n”}
[2024-09-25T21:46:39,346][ERROR][o.o.s.a.BackendRegistry ] [opensearch-bootstrap-0] Not yet initialized (you may need to run securityadmin)
[2024-09-25T21:46:19,167][ERROR][o.o.s.l.BuiltinLogTypeLoader] [opensearch-bootstrap-0] Failed loading builtin log types from disk!
[2024-09-25T21:47:07,816][ERROR][o.o.s.t.SecurityRequestHandler] [opensearch-bootstrap-0] OpenSearchException[Transport client authentication no longer supported.]
[2024-09-25T21:46:20,958][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [opensearch-bootstrap-0] Failure no such index [.opendistro_security] retrieving configuration for [ACTIONGROUPS, ALLOWLIST, AUDIT, CONFIG, INTERNALUSERS, NODESDN, ROLES, ROLESMAPPING, TENANTS, WHITELIST] (index=.opendistro_security)
Configuration:
security: # To have the Operator generate the certificates, you only need to set the generate and perNode fields to true (other fields can be omitted) config: # Everything related to the securityconfig
securityConfigSecret:
name: securityconfigsecret.name # Name of the secret that contains the securityconfig files
adminSecret:
name: adminsecret.name
adminCredentialsSecret:
name: admincredentialssecret.name
tls: # Everything related to TLS configuration
transport: # Configuration of the transport endpoint
generate: false # Have the operator generate and sign certificates
perNode: false # Separate certificate per node
secret:
name: secret.name # Name of the secret that contains the provided certificate
caSecret:
name: casecret.name # Name of the secret that contains a CA the operator should use.
nodesDn: [CN=admin] # List of certificate DNs allowed to connect
adminDn: [CN=opensearch] # List of certificate DNs that should get admin access
Relevant Logs or Screenshots: