Securityadmin.sh can't read subject from certificate

Hi there!
i have troubles to run securityadmin.sh after updating opensearch from version 1.2x to 2.0.1. I had no problems with the same certificate on previous version. Only CommonName is given. No Organization or State and so on

Command →
$./securityadmin.sh -cd …/securityconfig/ -icl -nhnv -cacert …/securityconfig/certs/admin/ca.crt -cert …/securityconfig/certs/admin/tls.crt -key …/securityconfig/certs/admin/tls.key

Return →
Security Admin v7
Will connect to localhost:9200 … done
Connected as null
ERR: null is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn
Make sure opensearch.yml on all nodes contains:
plugins.security.authcz.admin_dn:

• “null”

Thanks for your help

@florian Is the admin certificate DN in plugins.security.authcz.admin_dn values in opensearch.yml?

Could you share the list of admin DNs in opensearch.yml and output of the below command?

openssl x509 -in tls.crt -noout -subject

Hi @pablo !
thank you for your quick response
I copied the cert to my local machine. This is the output →

image898×42 3.02 KB

“subject=CN = opensearch-cluster-admin”

and my config looks currently like →

image1071×578 22.7 KB

I am also running into the same error:

Connected as null
ERR: null is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn
Make sure opensearch.yml on all nodes contains:
plugins.security.authcz.admin_dn:
  - "null"

The output from openssl for my cert is:

subject= /CN=admin.<ServiceName>

and my opensearch.yaml has:

plugins.security.authcz.admin_dn:
- CN=admin.<Service Name>

Not sure why there is a “/” before the CN, seems strange to me, I would need to check how that cert is generated.
I wonder if the blank space after the “=” is could possibly be an issue?

Any ideas about what the issue could be?

@florian did you have any luck figuring this out ?

cc @pablo, in case you can provide any further help.

Thanks!

Hi @conicob

nope sorry, I made a downgrade to version 1.3.3. There was another problem with opensearch-dashboards and the rollover process, Some fields didn’t apperead when an Index was chosen.

@florian @conicob I still can’t repro your issue.
This is my 2.0.1 cluster. I’m using custom certificates and all demo certs are disabled.

image1228×329 35.9 KB

image1253×655 149 KB

Thanks @pablo for sharing that information. I am using crt and key file for the certificates, I am wondering if something changed and now only pem files are accepted.

@florian @conicob How do you deploy your OpenSearch cluster?

@pablo
deployment was done via helm chart →

@florian Can you confirm that opensearch.yml file inside the all running OpenSearch pods contains correct admin_dn?

@florian I did some further testing.

I’ve found that executing securityadmin.sh script with an incorrect admin certificate will print CN or DN of that cert anyway.

image1232×230 68.1 KB

In your case the script prints null as CN/DN of the admin cert.

image721×300 11.6 KB

Therefore, I suspect that the reported issue could be related to your admin cert creation workflow.
Could you tell me how your admin cert was generated?

In my repro I’ve used the script from OpenSearch documentation.

@pablo, we just deploy the package contents and have a wrapper scripts that launches opensearch. We also have a java application that takes care of the certificate generation.

I also tried to generate the certs with the script from the OpenSearch documentation, and got the same error. I wonder what is special about the certificate generation that causes the previous one to not work.

@conicob @florian Could you try the following command inside and outside the OpenSearch pod and share the output?

curl --insecure --cert --key --XGET https://<OpenSearch_node_IP_or_FQDN>:9200/_plugins/_security/authinfo?pretty

Port number could be different when executed outside of the pod.

Have you tried to execute the securityadmi.sh script inside the OpenSearch pod?

The documentation for 2.1.0 proposes to create the subject with RFC2253

using

openssl x509 -subject -nameopt RFC2253 -noout -in node.pem

Hi all, I am facing same issue.

I am in the middle of migration from OpenDistro to OpenSearch 2.1.0

I am using same certificates in OpenDistro it works without any issue.

In OpenSearch 2.1.0 I am getting

Security Admin v7
Will connect to localhost:9200 … done
Connected as null
ERR: null is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn
Make sure opensearch.yml on all nodes contains:
plugins.security.authcz.admin_dn:

• “null”

I tried
curl --insecure --cert admin.pem --key admin.key -XGET https://localhost:9200/_plugins/_security/authinfo?pretty
{“error”:{“header”:{“WWW-Authenticate”:“Negotiate”}}}

I am using tarball version on Ubuntu and I generated certificates with Searchguard TLS tool.

Solution:
Remove this line from opensearch.yml

plugins.security.ssl.http.clientauth_mode: NONE

and it is working.

@Ivan Thanks for sharing your solution.

@florian @conicob I’ve just tested with 1.3.0 and 2.0.1 with plugins.security.ssl.http.clientauth_mode set to NONE and in 1.3.0 I had no issues with execution of securityadmin.sh script.

image1220×161 26.1 KB

However, in 2.0.1 and 2.1.0 versions it failed with the reported error.

image1226×232 67.8 KB

Could you confirm value of plugins.security.ssl.http.clientauth_mode in your environment?

Hi @pablo
In our environment where I have tested v2.0.1 the plugins.security.ssl.http.clientauth_mode was set to “OPTIONAL”. I’m not sure if I had tried it with “NONE”. But I hope this not the final solution.
The certs are generated with the cert-manager.
Thanks for your answers. When there is more time I’ll try it again and also have a deeper look on the generated certs.

@pablo , @florian, sorry for the delay reporting back here.
I removed the plugins.security.ssl.http.clientauth_mode from the config altogether as suggested above, and I was able to run the security-admin script, as well as start the OpenSearch properly. I have not yet fully tested the functionality, but I have a working environment now.
Thanks!