Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.5.0
Describe the issue:
It seems the security.sh script can’t read the subject of the .pem cert file.
I run the script like this:
./securityadmin.sh -h luu2772o -cert …/…/…/config/admin.pem -cacert …/…/…/config/root-ca.pem -key …/…/…/config/admin-key.pem
i generated the certs using this documentation: Generating self-signed certificates - OpenSearch documentation
the subject of the admin.pem cert is:
openssl x509 -subject -nameopt RFC2253 -noout -in …/…/…/config/admin.pem
subject=CN=admin.luu2772o,OU=EPO,O=EPO,L=The Hague,ST=TH,C=NL
but somehow the script gets null.
Checking the chain:
openssl verify -verbose -CAfile …/…/…/config/root-ca.pem …/…/…/config/admin.pem
…/…/…/config/admin.pem: OK
Configuration:
plugins.security.ssl.transport.pemcert_filepath: luu2772o.pem
plugins.security.ssl.transport.pemkey_filepath: luu2772o-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: luu2772o.pem
plugins.security.ssl.http.pemkey_filepath: luu2772o-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
- CN=admin.luu2772o,OU=EPO,O=EPO,L=The Hague,ST=TH,C=NL
plugins.security.nodes_dn: - CN=luu2772o,OU=EPO,O=EPO,L=The Hague,ST=TH,C=NL
I also tried adding plugins.security.ssl.http.clientauth_mode: NONE but no difference.
Relevant Logs or Screenshots:
Security Admin v7
Will connect to luu2772o:9200 … done
Connected as null
ERR: null is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn
Make sure opensearch.yml on all nodes contains:
plugins.security.authcz.admin_dn:
- “null”