OpenSearch Security not initialized helm deployment

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Opensearch version - 2.18.0

Describe the issue:

I have deployed opensearch with helm chart on kubernetes cluster, but when i try any curl command I am getting OpenSearch Security not initialized. PFB curl

curl -X GET -u admin:SimplePassword1! "https://opensearch-cluster-master-0:9200/" --insecure
OpenSearch Security not initialized

I have enable the security plugin (un-commented in values.yaml file), I am using the default certificates provided by opensearch. But when I enable the plugin my pods are going into crashloopbackoff.

below is the error

Enabling OpenSearch Security Plugin
Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin 
OpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user. 
Please define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string. 
If a password is not provided, the setup will quit. 
 For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
### OpenSearch Security Demo Installer
### ** Warning: Do not use on production or public reachable systems **
OpenSearch install type: rpm/deb on Linux 4.18.0-372.32.1.el8_6.x86_64 amd64
OpenSearch config dir: /usr/share/opensearch/config/
OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
OpenSearch bin dir: /usr/share/opensearch/bin/
OpenSearch plugins dir: /usr/share/opensearch/plugins/
OpenSearch lib dir: /usr/share/opensearch/lib/
Detected OpenSearch Version: 2.18.0
Detected OpenSearch Security Version: 2.18.0.0

“I have already set a strong password string in my values.yaml”

extraEnvs:
  - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
    value: "SimplePassword1!"

plugins:
  security:
    ssl:
      transport:
        pemcert_filepath: esnode.pem
        pemkey_filepath: esnode-key.pem
        pemtrustedcas_filepath: root-ca.pem
        enforce_hostname_verification: false
      http:
        enabled: true
        pemcert_filepath: esnode.pem
        pemkey_filepath: esnode-key.pem
        pemtrustedcas_filepath: root-ca.pem
    allow_unsafe_democertificates: true
    allow_default_init_securityindex: true
    authcz:
      admin_dn:
        - CN=kirk,OU=client,O=client,L=test,C=de
    audit.type: internal_opensearch
    enable_snapshot_restore_privilege: true
    check_snapshot_restore_write_privileg

Configuration:

Relevant Logs or Screenshots:

Now the pods are running, but I can the see the below error in the logs,

2025-01-12T12:57:17,205][WARN ][i.n.c.AbstractChannelHandlerContext] [opensearch-cluster-master-0] An exception 'OpenSearchSecurityException[The provided TCP channel is invalid.]; nested: DecoderException[javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)]; nested: SSLHandshakeException[Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)]; nested: BadPaddingException[Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)];' [enable DEBUG level for full stacktrace] was thrown by a user handler's exceptionCaught() method while handling the following exception:
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:500) ~[netty-codec-4.1.112.Final.jar:4.1.112.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[netty-codec-4.1.112.Final.jar:4.1.112.Final]

[2025-01-12T12:57:17,208][ERROR][o.o.t.n.s.SecureNetty4Transport] [opensearch-cluster-master-0] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130) ~[?:?]

Below is the security plugin configuration i’m using

plugins:
      security:
        ssl:
         transport:
           enabled: true
           pemcert_filepath: esnode.pem
           pemkey_filepath: esnode-key.pem
           pemtrustedcas_filepath: root-ca.pem
           enforce_hostname_verification: false
         http:
           enabled: true
           pemcert_filepath: esnode.pem
           pemkey_filepath: esnode-key.pem
           pemtrustedcas_filepath: root-ca.pem
        allow_unsafe_democertificates: true
        allow_default_init_securityindex: true
        authcz:
         admin_dn:
           - CN=kirk,OU=client,O=client,L=test,C=de

Also since my cluster is IPV6 based, I have define network.host as “::”

@svdhote97 Did you resolve your issue? If not, could you share a content of your values.yml?
Did you use custom or official OpenSearch Helm charts?