Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch version 2.2.1
Plugin: opensearch-cross-cluster-replication v2.2.1.0
Describe the issue:
Deployed 1 leader cluster and 1 follower cluster and enabled security on both clusters. It is observed that follower cluster is able to connect and start replication only if both the cluster’s certificated are signed by same signing authority (i.e. same Root-CA) . If it is signed by different CA then it is throwing exception as mentioned below.
Is it expected for both cluster’s certificates to be signed by same CA or is there any way to make this scenario work?
Please suggest.
Configuration:
Security enabled on both Leader and Follower cluster and TLS certificates in both clusters are signed by different CA
Relevant Logs or Screenshots:
Error logs:
curl -k -u username:password -XPUT -H ‘Content-Type: application/json’ ‘https://IP:9200/_plugins/_replication/follower-01/_start?pretty’ -d ’
{
“leader_alias”: “my-connection-alias”,
“leader_index”: “leader-01”,
“use_roles”:{
“leader_cluster_role”: “all_access”,
“follower_cluster_role”: “all_access”
}
}’
{
“error” : {
“root_cause” : [
{
“type” : “transport_exception”,
“reason” : “handshake failed because connection reset”
}
],
“type” : “connect_transport_exception”,
“reason” : “[IP:9300] general node connection failure”,
“caused_by” : {
“type” : “transport_exception”,
“reason” : “handshake failed because connection reset”
}
},
“status” : 500
}