Opensearch security plugin enable error with

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:
Im installing opensearch and opensearch dashboard using the corresponding helm charts. when trying to configure the opensearch security plugin,
after changing the configuration for opensearch.yml and the config.yml of the opensearch security config, im trying to apply the changes using the script as mentioned in the docs.
but when trying to, i get the error :
"PKIX path building failed: unable to find valid certification path to requested target "

i supplied the certificates (key, certificate, and root-ca) in the relevant places in the config files, and in PEM format, and this error keeps coming,
any help?

Hi @idan17,

Could you please share the command you are running?


-f …/…/…/config/opensearch-security/config.yml
-icl -nhnv -cert /usr/share/opensearch/config/cert/cert.pem
-cacert /usr/share/opensearch/config/root-ca/root-ca.pem
-key /usr/share/opensearch/config/key/key.pem
-t config

and i will add that those certificates i mounted using the :
secretMounts option in the helm

ok now when i put all the CA chain in the certificate file i moved to another error, now the error is "
certificate_unknown" when running the admin script

Have you configured it to be your admin certificate?

For more details, see here: Configuring TLS certificates - OpenSearch Documentation


yes, i set the value of admin_dn to be as the value in the “subject” field of my certificate

im still getting the “certificate_unknown” error from the securityadmin script, is there a variable in the values of the helm chart where i need to specify my self signed certificates other than the ssl config in the opensearch.yml file ?,
and if there is or isn’t, is there a way i can confirm my certificates are suitable for the opensearch security plugin?,
i would appreciate any help because this is a bug that is holding my team for too long on an important project

It can be very confusing because there are 3 sets of certs:

  • transport - defined by the keys starting with in the opensearch.yaml file
  • REST/HTTP - defined by the keys starting with in the opensearch.yaml file
  • admin - which are NOT defined the opensearch.yaml file at all but still need to be accessible.

When you shared the command you are trying to run, you included these items:

-cert /usr/share/opensearch/config/cert/cert.pem
-cacert /usr/share/opensearch/config/root-ca/root-ca.pem
-key /usr/share/opensearch/config/key/key.pem

Are those paths pointing to the admin certificate or to one of the other sets of certs (e.g. the transport or rest/http certs)?

In our deployments, we have the following extraVolumes defined and we point to the last set (admin-certs) when running the command.


  • name: transport-certs
    secretName: es-transport-tls-secret
  • name: rest-certs
    secretName: es-rest-tls-secret
  • name: admin-certs
    secretName: es-admin-tls-secret

Hi @GSmith !,
first of all thank you for replying,
well yes, im using the same certificates for the 3 sets you specified :face_with_hand_over_mouth:,
thats also because im working in a closed (air gapped) network and have access to those signed certificates (cert, key, and root-ca).
i also used the admin DN as the DN in those certs.
i mounted the certificates using the secretMounts option , and i know they are accessible in the pod because i tried to change the path when executing the command and got an error of not found. So i know i mounted the certificates, the thing is how can i know they are in the correct format and structure (meaning the correct ca chain) for the script to work.

Have you checked the Generate an admin certificate here: Generating self-signed certificates - OpenSearch Documentation ?

hi, i verified the certificates,
they work on my other deployments, and when changing it to .crt i can open it and see it is valid chain.
but still getting the error “certificate_unknown” when running the script,
i saw in the internet that it has to do with adding the certs to the truststore using keytool.
i tried to add to the default keystore of java, and it didn’t help, and when trying to add that to the opensearch.keystore i get an error of unrecognized type. how can i add my certs to the opensearch truststore and do i even need to?

just updating:
i tried to do the same but now with my own keystore (which i know that works in another system), and with the option of -ks and -ts for the script, and im getting the exact same error of certificate_unknown.
does anyone have any ideas ?

Where do you execute the command (pod or externally)?

Could you also run the below and share the output:
openssl s_client -connect <OpenSearch_service>:<9200_or_node_port>

im doint kubectl exec to open bash terminal in my pod (im deploying using helm)
and then running the script from within.

upon running the openssl command, when pointing to my ingress i configured to this deployment,
im getting a long output containing the certificate, another data like subject, issuer and more about this certificate.
sorry i cannot pass the whole output since its in a closed confidential network

Could you try cert authentication without the and share if you are getting any errors, you can try with something as per below:

curl --cacert /usr/share/opensearch/config/root-ca/root-ca.pem --key /usr/share/opensearch/config/key/key.pem --cert /usr/share/opensearch/config/cert/cert.pem -XGET -k https://<OpenSearch:9200>/_plugins/_security/authinfo?pretty


im getting bad gateway 502,
and in the logs of my pod im getting:

Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: …

i tried to uninstall (with PVC delete) both opensearch and opensearch dashboards, and now i have the same SSL record exception in my opensearch pod logs,
and my opensearch-dashboards is failing to run with error :
Startup probe failed: dial tcp …:5601 connect: connection refused

Hi @idan17,

At this point, I would say we need to backtrack a bit and understand your setup a bit better.
Could you please share your opensearch.yml and opensearch_dashboards.yml the ones that were picked by the pods?


ok, supplying my configuration files i add to the relevant values.yml for my helm charts:

opensearch.yml: opensearch-cluster

        pemcert_filepath: cert/<my-full-ca-chain>.pem
        pemkey_filepath: key/key.pem
        pemtrustedcas_filepath: root-ca/root-ca.pem # my root certificate of CA chain
        enforce_hostname_verification: false
        pemcert_filepath: cert/<my-full-ca-chain>.pem
        pemkey_filepath: key/key.pem
        pemtrustedcas_filepath: root-ca/root-ca.pem # my root certificate of CA chain
    allow_unsafe_democertificates: true
    allow_default_init_securityindex: true
        - CN=XX,OU=XX,O=XX,C=XX
        - CN=kirk,OU=client,O=client,L=test,C=de
      - CN=XX,OU=XX,O=XX,C=XX
    audit.type: internal_opensearch
    enable_snapshot_restore_privilege: true
    check_snapshot_restore_write_privileges: true
      roles_enabled: ["all_access", "security_rest_api_access"]
      enabled: true

config.yml for security plugin:

    enable_ssl: true
    pemtrustedcas_filepath: /usr/share/opensearch/config/root-ca/root-ca.pem
    pemcert_filepath: /usr/share/opensearch/config/cert/<my-full-ca-chain>.pem
    pemkey_filepath: /usr/share/opensearch/config/key/key.pem
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
          type: basic
          challenge: true
          type: intern
        http_enabled: true
        enabled: true
        transport_enabled: true
        order: 1
            type: "openid"
            challenge: false
                enable_ssl: true
                subject_key: preferred_username
                roles_key: roles
                openid_connect_url: "https://<keycloak_address>/realms/master/.well-known/openid-configuration"
                    enable_ssl: true
                    pemtrustedcas_filepath: /usr/share/opensearch/config/root-ca/root-ca.pem
            type: noop


    hosts: ["https://opensearch-cluster.master.opensearch.svc:9200"]
        verificationMode: none
        certificateAuthorities: /usr/share/opensearch-dashboards/config/certs/cert/<my-full-ca-chain>.pem
        type: ["basicauth","openid"]
        multiple_auth_enabled: true
        connect_url: "https://<keycloak_address>/realms/master/.well-known/openid-configuration"
        client_id: <id>
        client_secret: <secret>
        scope: "openid profile email"
    enabled: true
    certificate: /usr/share/opensearch-dashboards/config/certs/cert/>my-full-ca-chain>.pem
    key: /usr/share/opensearch-dashboards/config/certs/key/key.pem

just adding that im using singleNode , and the dashboards and the opensearch are residing on different namespaces in my k3s cluster.

Could you please add true in your opensearch.yml, test it, and let me know?