hi, there was a problem after adding ssl tls certificates. The certificates are signed by a CA and are definitely valid. Tell me what could be the problem? OS version 2.8.0.
I attach the coordinator node settings, analog config for the node manager. + logs
connection with these certificates was checked by curl command
curl -v --cacert ca.pem --cert .pem --key .key -XGET https://hostname1-2node:9300
handshake succsess
client-server certificates
alt names dns and ip
what could be the problem?
Configuration:
cluster.name: os-cluster
node.name: os-coordinator-node
node.roles: [ coordinating ]
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
network.host: ip
http.port: 9200
discovery.seed_hosts: ["ip", "ip", "ip", "ip", "ip", "ip"]
cluster.initial_cluster_manager_nodes: ["ip", "ip"]
############################################################################
plugins.security.ssl.transport.pemcert_filepath: cert.pem
plugins.security.ssl.transport.pemkey_filepath: cert.key
plugins.security.ssl.transport.pemtrustedcas_filepath: ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: cert.pem
plugins.security.ssl.http.pemkey_filepath: cert.key
plugins.security.ssl.http.pemtrustedcas_filepath: ca.pem
plugins.security.nodes_dn:
- 'C=la,O=lalala\ lala\ of\ the\ lala\ la,OU=la,CN=coordnodename'
- 'C=la,O=la\ la\ of\ the\ la\ la,OU=la,CN=managernodename'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models"]
node.max_local_storage_nodes: 3
######## End OpenSearch Security Demo Configuration ########
Relevant Logs or Screenshots:
master logs
[2023-06-29T16:25:01,393][ERROR][o.o.s.t.SecurityRequestHandler] [os-manager-data-node] OpenSearchException[Transport client authentication no longer supported.]
coord logs
[2023-06-29T16:24:57,392][WARN ][o.o.d.HandshakingTransportAddressConnector] [os-coordinator-node] handshake failed for [connectToRemoteMasterNode[:9300]]
org.opensearch.transport.RemoteTransportException: [os-manager-data-node][masterIP:9300][internal:transport/handshake]
Caused by: org.opensearch.OpenSearchException: Transport client authentication no longer supported