Securityadmin.sh errors when connecting opensearch through http

I just upgraded to opensearch v2.0.0.
When I tried to initialize security using securityadmin.sh, I came across the following error message.

ERR: An unexpected IOException occured: Unrecognized SSL message, plaintext connection?

[opensearch@ertergergedpo7 config]$ /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh 
> -h 10.136.136.37
> -icl -nhnv -cert /usr/share/opensearch/config/admin.pem 
> -cacert /usr/share/opensearch/config/root-ca.pem 
> -key /usr/share/opensearch/config/admin-key.pem 
> -cd /usr/share/opensearch/config/opensearch-security/
************************************************************************** 
** This tool will be deprecated in the next major release of OpenSearch ** 
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7 
Will connect to 10.136.136.37:9200 ... done 
ERR: An unexpected IOException occured: Unrecognized SSL message, plaintext connection? 
Trace: java.io.IOException: Unrecognized SSL message, plaintext connection?
  at org.opensearch.client.RestClient.extractAndWrapCause (RestClient.java:927), 
  at org.opensearch.client.Restclient.performRequest(RestClient.java:307), 
  at org.opensearch.client.Restclient.performRequest(RestClient.java:295) 
  at org.opensearch.security.tools.SecurityAdmin.execute(Security Admin.java:464),
  at org.opensearch.security.tools.SecurityAdmin.main(Security Admin.java:161) 
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
  at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java: 145) 
  at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64) 
  at java.base/sun.security.ssl.SSLEngineImpl.readRecord (SSLEngineImpl.java:612), 
  at java.base/sun.security.ssl.SSLEngineImpl.unwrap (SSLEngineImpl.java:506), 
  at java.base/sun.security.ssl.SSLEngineImpl.unwrap (SSLEngineImpl.java:482) 
  at java.base/javax.net.ssl.SSLEngine.unwrap (SSLEngine.java:679) 
  at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap (SSLIOSession.java:275) 
  at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake (SSLIOSession.java:321) 
  at org.apache.http.nio.reactor.ssl.SSLIOSession.isApp InputReady (SSLIOSession.java:523 
  at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120) 
  at org.apache.http.impl.nio.reactor.BaseloReactor.readable(BaseloReactor.java:162) 
  at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) 
  at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIoReactor.java:315) 
  at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) 
  at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseloReactor.java:104) 
  at org.apache.http.impl.nio.reactor.AbstractMultiworker IOReactor $Worker.run(AbstractMultiworkerIOReactor.java:591), 
  at java.base/java.lang.Thread.run(Thread.java:833)

Here is my opensearch.yml
When I uncomment plugins.security.ssl.http settings, securityadmin will work well.
But I want to use http for my REST layer, not https.

network.host: 10.135.136.37

cluster.name: opensearch-cluster-staging
node.name: opensearch-node1
node.roles: [master]
discovery.seed_hosts: ["10.136.136.37"]
cluster.initial_cluster_manager_nodes: ["10.136.136.37"]
bootstrap.memory_lock: true # along with the memlock settings below, disables swapping
path.repo: ["/usr/share/opensearch/snapshot"]
node.attr.data: none

plugins.security.ssl.transport.pemcert_filepath: node.pem
plugins.security.ssl.transport.pemkey_filepath: node-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
#plugins.security.ssl.http.enabled: true
#plugins.security.ssl.http.pemcert_filepath: node.pem
#plugins.security.ssl.http.pemkey_filepath: node-key.pem
#plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - 'CN=ADMIN,OU=AA,O=SS,L=BB,ST=CC,C=DD'
plugins.security.nodes_dn:
  - 'CN=NODE,OU=AA,O=SS,L=BB,ST=CC,C=DD'

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*"]

Thanks.
I appreciate your help.

Just make sure that all admin certificates and http certificates are signed by the same root certificate (the same certificate authority).

In previous releases, securityadmin.sh used TransportClient which can use different root certificate than the http certificates.

You can try the guide here Generate certificates - OpenSearch documentation

@bob96589 Have a look at this comment in regards to changes in OpenSearch v2.0.0

You’ll need to enable SSL on HTTP to get securityadmin.sh working.

Hi @pablo

You’ll need to enable SSL on HTTP to get securityadmin.sh working

Does this mean I have to uncomment the following 4 lines in order to get securityadmin.sh working?

#plugins.security.ssl.http.enabled: true
#plugins.security.ssl.http.pemcert_filepath: node.pem
#plugins.security.ssl.http.pemkey_filepath: node-key.pem
#plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem

@bob96589 That is correct.

1 Like