Securityadmin.sh - ERR: null is not an admin user

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.5.0

Describe the issue:
It seems the security.sh script can’t read the subject of the .pem cert file.
I run the script like this:
./securityadmin.sh -h luu2772o -cert …/…/…/config/admin.pem -cacert …/…/…/config/root-ca.pem -key …/…/…/config/admin-key.pem

i generated the certs using this documentation: Generating self-signed certificates - OpenSearch documentation

the subject of the admin.pem cert is:
openssl x509 -subject -nameopt RFC2253 -noout -in …/…/…/config/admin.pem
subject=CN=admin.luu2772o,OU=EPO,O=EPO,L=The Hague,ST=TH,C=NL

but somehow the script gets null.

Checking the chain:
openssl verify -verbose -CAfile …/…/…/config/root-ca.pem …/…/…/config/admin.pem
…/…/…/config/admin.pem: OK

Configuration:
plugins.security.ssl.transport.pemcert_filepath: luu2772o.pem
plugins.security.ssl.transport.pemkey_filepath: luu2772o-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: luu2772o.pem
plugins.security.ssl.http.pemkey_filepath: luu2772o-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:

  • CN=admin.luu2772o,OU=EPO,O=EPO,L=The Hague,ST=TH,C=NL
    plugins.security.nodes_dn:
  • CN=luu2772o,OU=EPO,O=EPO,L=The Hague,ST=TH,C=NL

I also tried adding plugins.security.ssl.http.clientauth_mode: NONE but no difference.

Relevant Logs or Screenshots:
Security Admin v7
Will connect to luu2772o:9200 … done
Connected as null
ERR: null is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn
Make sure opensearch.yml on all nodes contains:
plugins.security.authcz.admin_dn:

  • “null”
2

Hey @AdiD

Is that your hostname and/or FQDN? It just seam odd,.
Here is a example of mine.

./securityadmin.sh -h opensearch-server.mydomain.com  -cd /etc/opensearch/opensearch-security/ -cacert /etc/opensearch/root-ca.pem -cert /etc/opensearch/admin.pem -key /etc/opensearch/admin-key.pem -icl -nhnv

which match my cn below.

**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to ansible.enseva-labs.net:9200 ... done
Connected as "CN=opensearch-server.mydomain.com,OU=admin,O=work,L=cedar,ST=iowa,C=us"
OpenSearch Version: 2.7.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
3

That is the hostname.

4

I just tried with 2.8.0 and I have the same issue.

5

Hey @AdiD

Reason I ask was that your CN is this…

When you execute this…

Since your using just the hostname, by chance have you tried to use your FQDN? just an idea.

1 Like
6

Could you try the below example? It ads -icl (Ignore clustername) and -nhnv (Disable hostname verification) options.

./securityadmin.sh -h luu2772o -cert ../../../config/admin.pem -cacert ../../../config/root-ca.pem -key ../../../config/admin-key.pem -icl -nhnv
7

I suspect this is the formatting of this forum, but did you use double or single quotes with admin DN? The ‘L=’ value contains a space.

1 Like