Query regarding Cross cluster replication with security enabled

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch version 2.2.1
Plugin: opensearch-cross-cluster-replication v2.2.1.0

Describe the issue:
Deployed 1 leader cluster and 1 follower cluster and enabled security on both clusters. It is observed that follower cluster is able to connect and start replication only if both the cluster’s certificated are signed by same signing authority (i.e. same Root-CA) . If it is signed by different CA then it is throwing exception as mentioned below.
Is it expected for both cluster’s certificates to be signed by same CA or is there any way to make this scenario work?
Please suggest.

Security enabled on both Leader and Follower cluster and TLS certificates in both clusters are signed by different CA

Relevant Logs or Screenshots:
Error logs:
curl -k -u username:password -XPUT -H ‘Content-Type: application/json’ ‘https://IP:9200/_plugins/_replication/follower-01/_start?pretty’ -d ’

“leader_alias”: “my-connection-alias”,
“leader_index”: “leader-01”,
“leader_cluster_role”: “all_access”,
“follower_cluster_role”: “all_access”
“error” : {
“root_cause” : [
“type” : “transport_exception”,
“reason” : “handshake failed because connection reset”
“type” : “connect_transport_exception”,
“reason” : “[IP:9300] general node connection failure”,
“caused_by” : {
“type” : “transport_exception”,
“reason” : “handshake failed because connection reset”
“status” : 500

You should be able to whitelist the follower cluster’s certificate on leader cluster via security plugin APIs.
I’m not able to find that in documentation but this is the PR where this support was added: Implement APIs and datamodel to configure nodes_dn dynamically. by krishna-ggk · Pull Request #362 · opensearch-project/security · GitHub


  • GET _opendistro/_security/api/ssl/certs to fetch the certificate from follower.
  • PUT _opendistro/_security/api/nodesdn/ to whitelist follower’s certificate on leader.