- ERR: null is not an admin user

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:
It seems the script can’t read the subject of the .pem cert file.
I run the script like this:
./ -h luu2772o -cert …/…/…/config/admin.pem -cacert …/…/…/config/root-ca.pem -key …/…/…/config/admin-key.pem

i generated the certs using this documentation: Generating self-signed certificates - OpenSearch documentation

the subject of the admin.pem cert is:
openssl x509 -subject -nameopt RFC2253 -noout -in …/…/…/config/admin.pem
subject=CN=admin.luu2772o,OU=EPO,O=EPO,L=The Hague,ST=TH,C=NL

but somehow the script gets null.

Checking the chain:
openssl verify -verbose -CAfile …/…/…/config/root-ca.pem …/…/…/config/admin.pem
…/…/…/config/admin.pem: OK

Configuration: luu2772o.pem luu2772o-key.pem root-ca.pem false true luu2772o.pem luu2772o-key.pem root-ca.pem true true

  • CN=admin.luu2772o,OU=EPO,O=EPO,L=The Hague,ST=TH,C=NL
  • CN=luu2772o,OU=EPO,O=EPO,L=The Hague,ST=TH,C=NL

I also tried adding NONE but no difference.

Relevant Logs or Screenshots:
Security Admin v7
Will connect to luu2772o:9200 … done
Connected as null
ERR: null is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn
Make sure opensearch.yml on all nodes contains:

  • “null”

Hey @AdiD

Is that your hostname and/or FQDN? It just seam odd,.
Here is a example of mine.

./ -h  -cd /etc/opensearch/opensearch-security/ -cacert /etc/opensearch/root-ca.pem -cert /etc/opensearch/admin.pem -key /etc/opensearch/admin-key.pem -icl -nhnv

which match my cn below.

** This tool will be deprecated in the next major release of OpenSearch **
**           **
Security Admin v7
Will connect to ... done
Connected as ",OU=admin,O=work,L=cedar,ST=iowa,C=us"
OpenSearch Version: 2.7.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...

That is the hostname.

I just tried with 2.8.0 and I have the same issue.

Hey @AdiD

Reason I ask was that your CN is this…

When you execute this…

Since your using just the hostname, by chance have you tried to use your FQDN? just an idea.

1 Like

Could you try the below example? It ads -icl (Ignore clustername) and -nhnv (Disable hostname verification) options.

./ -h luu2772o -cert ../../../config/admin.pem -cacert ../../../config/root-ca.pem -key ../../../config/admin-key.pem -icl -nhnv

I suspect this is the formatting of this forum, but did you use double or single quotes with admin DN? The ‘L=’ value contains a space.

1 Like