Versions 2.12
Describe the issue:
I try to set the security configuration but the URL is reachable (ERR_CONNECTION_REFUSED)
Since 2 Weeks I ask the AI but we cant found the right configuration.
Could you help me?
Thank you very much.
Configuration:
The server is running and the Apache2-index.html is displayed correctly under https.
I was able to access the dashboard without TSL configuration.
Then I configured the yml-files.
I set the rights for the certificates and utf.
Is there an error in the configuration files?
Interesting is, that no log file for dashbaord was found.
I only want to use all at the same server with shop. No specials.
Relevant Logs or Screenshots:
# ======================== OpenSearch Configuration =========================
#
# NOTE: OpenSearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.opensearch.org
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: XXX
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /var/lib/opensearch
#
# Path to log files:
#
path.logs: /var/log/opensearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# OpenSearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 0.0.0.0
#
# Set a custom port for HTTP:
#
http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of cluster-manager-eligible nodes:
#
#cluster.initial_cluster_manager_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
discovery.type: single-node
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
#
# ---------------------------------- Remote Store -----------------------------------
# Controls whether cluster imposes index creation only with remote store enabled
# cluster.remote_store.enabled: true
#
# Repository to use for segment upload while enforcing remote store for an index
# node.attr.remote_store.segment.repository: my-repo-1
#
# Repository to use for translog upload while enforcing remote store for an index
# node.attr.remote_store.translog.repository: my-repo-1
#
# ---------------------------------- Experimental Features -----------------------------------
# Gates the visibility of the experimental segment replication features until they are production ready.
#
#opensearch.experimental.feature.segment_replication_experimental.enabled: false
#
# Gates the functionality of a new parameter to the snapshot restore API
# that allows for creation of a new index type that searches a snapshot
# directly in a remote repository without restoring all index data to disk
# ahead of time.
#
#opensearch.experimental.feature.searchable_snapshot.enabled: false
#
#
# Gates the functionality of enabling extensions to work with OpenSearch.
# This feature enables applications to extend features of OpenSearch outside of
# the core.
#
#opensearch.experimental.feature.extensions.enabled: false
#
#
# Gates the optimization of datetime formatters caching along with change in default datetime formatter
# Once there is no observed impact on performance, this feature flag can be removed.
#
#opensearch.experimental.optimization.datetime_formatter_caching.enabled: false
######## Start OpenSearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn: ['CN=kirk,OU=client,O=client,L=test,C=de']
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-config, .plugins-ml-connector,
.plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task, .plugins-ml-conversation-meta,
.plugins-ml-conversation-interactions, .plugins-ml-memory-meta, .plugins-ml-memory-message,
.opendistro-alerting-config, .opendistro-alerting-alert*, .opendistro-anomaly-results*,
.opendistro-anomaly-detector*, .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state,
.opendistro-reports-*, .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability,
.ql-datasources, .opendistro-asynchronous-search-response*, .replication-metadata-store,
.opensearch-knn-models, .geospatial-ip2geo-data*, .plugins-flow-framework-config,
.plugins-flow-framework-templates, .plugins-flow-framework-state]
node.max_local_storage_nodes: 3
######## End OpenSearch Security Demo Configuration ########
plugins.security.disabled: false
---
# Copyright OpenSearch Contributors
# SPDX-License-Identifier: Apache-2.0
# Description:
# Default configuration for OpenSearch Dashboards
# OpenSearch Dashboards is served by a back end server. This setting specifies the port to use.
server.port: 5601
# Specifies the address to which the OpenSearch Dashboards server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "0.0.0.0"
# Enables you to specify a path to mount OpenSearch Dashboards at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell OpenSearch Dashboards if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
# server.basePath: ""
# Specifies whether OpenSearch Dashboards should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# server.rewriteBasePath: false
# The maximum payload size in bytes for incoming server requests.
# server.maxPayloadBytes: 1048576
# The OpenSearch Dashboards server's name. This is used for display purposes.
# server.name: "your-hostname"
# The URLs of the OpenSearch instances to use for all your queries.
# opensearch.hosts: ["http://localhost:9200"]
# OpenSearch Dashboards uses an index in OpenSearch to store saved searches, visualizations and
# dashboards. OpenSearch Dashboards creates a new index if the index doesn't already exist.
# opensearchDashboards.index: ".opensearch_dashboards"
# The default application to load.
# opensearchDashboards.defaultAppId: "home"
# Setting for an optimized healthcheck that only uses the local OpenSearch node to do Dashboards healthcheck.
# This settings should be used for large clusters or for clusters with ingest heavy nodes.
# It allows Dashboards to only healthcheck using the local OpenSearch node rather than fan out requests across all nodes.
#
# It requires the user to create an OpenSearch node attribute with the same name as the value used in the setting
# This node attribute should assign all nodes of the same cluster an integer value that increments with each new cluster that is spun up
# e.g. in opensearch.yml file you would set the value to a setting using node.attr.cluster_id:
# Should only be enabled if there is a corresponding node attribute created in your OpenSearch config that matches the value here
# opensearch.optimizedHealthcheckId: "cluster_id"
# If your OpenSearch is protected with basic authentication, these settings provide
# the username and password that the OpenSearch Dashboards server uses to perform maintenance on the OpenSearch Dashboards
# index at startup. Your OpenSearch Dashboards users still need to authenticate with OpenSearch, which
# is proxied through the OpenSearch Dashboards server.
# opensearch.username: "opensearch_dashboards_system"
# opensearch.password: "pass"
# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the OpenSearch Dashboards server to the browser.
server.ssl.enabled: true
server.ssl.certificate: /etc/ssl/certs/cert_XXX.crt
server.ssl.key: /etc/ssl/private/private_XXX.de.pem
# If you want to enforce hostname verification (recommended)
plugins.security.ssl.http.enforce_hostname_verification: true # Set to false only in development# Enable SSL for transport communication if you're using multiple nodes
# Enable SSL for transport communication if you're using multiple nodes
#plugins.security.ssl.transport.enabled: true
#plugins.security.ssl.transport.pemcert_filepath: /etc/ssl/certs/cert_XXX.de.crt
#plugins.security.ssl.transport.pemkey_filepath: /etc/ssl/private/private_XXX.de.pem
#plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/ssl/certs/intermediate_XXX.de.crt
# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files are used to verify the identity of OpenSearch Dashboards to OpenSearch and are required when
# xpack.security.http.ssl.client_authentication in OpenSearch is set to required.
# opensearch.ssl.certificate: /path/to/your/client.crt
# opensearch.ssl.key: /path/to/your/client.key
# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your OpenSearch instance.
# opensearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
# To disregard the validity of SSL certificates, change this setting's value to 'none'.
# opensearch.ssl.verificationMode: full
# Time in milliseconds to wait for OpenSearch to respond to pings. Defaults to the value of
# the opensearch.requestTimeout setting.
# opensearch.pingTimeout: 1500
# Time in milliseconds to wait for responses from the back end or OpenSearch. This value
# must be a positive integer.
# opensearch.requestTimeout: 30000
# List of OpenSearch Dashboards client-side headers to send to OpenSearch. To send *no* client-side
# headers, set this value to [] (an empty list).
# opensearch.requestHeadersWhitelist: [ authorization ]
# Header names and values that are sent to OpenSearch. Any custom headers cannot be overwritten
# by client-side headers, regardless of the opensearch.requestHeadersWhitelist configuration.
# opensearch.customHeaders: {}
# Time in milliseconds for OpenSearch to wait for responses from shards. Set to 0 to disable.
# opensearch.shardTimeout: 30000
# Logs queries sent to OpenSearch. Requires logging.verbose set to true.
# opensearch.logQueries: false
# Specifies the path where OpenSearch Dashboards creates the process ID file.
# pid.file: /var/run/opensearchDashboards.pid
# Enables you to specify a file where OpenSearch Dashboards stores log output.
# logging.dest: stdout
# Set the value of this setting to true to suppress all logging output.
# logging.silent: false
# Set the value of this setting to true to suppress all logging output other than error messages.
# logging.quiet: false
# Set the value of this setting to true to log all events, including system usage information
# and all requests.
logging.verbose: true
# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000.
# ops.interval: 5000
# Specifies locale to be used for all localizable strings, dates and number formats.
# Supported languages are the following: English - en , by default , Chinese - zh-CN .
# i18n.locale: "en"
# Set the allowlist to check input graphite Url. Allowlist is the default check list.
# vis_type_timeline.graphiteAllowedUrls: ['https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite']
# Set the blocklist to check input graphite Url. Blocklist is an IP list.
# Below is an example for reference
# vis_type_timeline.graphiteBlockedIPs: [
# //Loopback
# '127.0.0.0/8',
# '::1/128',
# //Link-local Address for IPv6
# 'fe80::/10',
# //Private IP address for IPv4
# '10.0.0.0/8',
# '172.16.0.0/12',
# '192.168.0.0/16',
# //Unique local address (ULA)
# 'fc00::/7',
# //Reserved IP address
# '0.0.0.0/8',
# '100.64.0.0/10',
# '192.0.0.0/24',
# '192.0.2.0/24',
# '198.18.0.0/15',
# '192.88.99.0/24',
# '198.51.100.0/24',
# '203.0.113.0/24',
# '224.0.0.0/4',
# '240.0.0.0/4',
# '255.255.255.255/32',
# '::/128',
# '2001:db8::/32',
# 'ff00::/8',
# ]
# vis_type_timeline.graphiteBlockedIPs: []
# opensearchDashboards.branding:
# logo:
# defaultUrl: ""
# darkModeUrl: ""
# mark:
# defaultUrl: ""
# darkModeUrl: ""
# loadingLogo:
# defaultUrl: ""
# darkModeUrl: ""
# faviconUrl: ""
# applicationTitle: ""
# Set the value of this setting to true to capture region blocked warnings and errors
# for your map rendering services.
# map.showRegionBlockedWarning: false%
# Set the value of this setting to false to suppress search usage telemetry
# for reducing the load of OpenSearch cluster.
# data.search.usageTelemetry.enabled: false
# 2.4 renames 'wizard.enabled: false' to 'vis_builder.enabled: false'
# Set the value of this setting to false to disable VisBuilder
# functionality in Visualization.
# vis_builder.enabled: false
# 2.4 New Experimental Feature
# Set the value of this setting to true to enable the experimental multiple data source
# support feature. Use with caution.
# data_source.enabled: false
# Set the value of these settings to customize crypto materials to encryption saved credentials
# in data sources.
# data_source.encryption.wrappingKeyName: 'changeme'
# data_source.encryption.wrappingKeyNamespace: 'changeme'
# data_source.encryption.wrappingKey: [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
# 2.6 New ML Commons Dashboards Feature
# Set the value of this setting to true to enable the ml commons dashboards
# ml_commons_dashboards.enabled: false
# 2.12 New experimental Assistant Dashboards Feature
# Set the value of this setting to true to enable the assistant dashboards
# assistant.chat.enabled: false
opensearch.hosts: [https://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
# Use this setting if you are running opensearch-dashboards without https
opensearch_security.cookie.secure: false
mos@ubuntu:~$ sudo tail -n 50 /var/log/opensearch/opensearch.log
[sudo] password for mos:
[2025-04-09T16:53:53,577][INFO ][o.o.p.PluginsService ] [ubuntu] PluginService:onIndexModule index:[.kibana_92668751_admin_1/gHuBm7_IRA-FG8_U2Jlt-Q]
[2025-04-09T16:53:53,595][INFO ][o.o.p.PluginsService ] [ubuntu] PluginService:onIndexModule index:[.opendistro_security/5ehmEThTSvuKsV3lgl28Gg]
[2025-04-09T16:53:53,638][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:53,757][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:53,784][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:53,808][INFO ][o.o.p.PluginsService ] [ubuntu] PluginService:onIndexModule index:[.opensearch-observability/p4JN4uPbR0WboWf2kixSmw]
[2025-04-09T16:53:53,814][INFO ][o.o.p.PluginsService ] [ubuntu] PluginService:onIndexModule index:[.plugins-ml-config/KT-7qXtoTziP44f13gepLg]
[2025-04-09T16:53:53,821][INFO ][o.o.p.PluginsService ] [ubuntu] PluginService:onIndexModule index:[.kibana_1/3n5_i8QyTGeRQYEFxiStnA]
[2025-04-09T16:53:53,839][INFO ][o.o.p.PluginsService ] [ubuntu] PluginService:onIndexModule index:[security-auditlog-2025.04.03/nzSYbxRWRPa1WXFi_TYWgA]
[2025-04-09T16:53:53,863][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:53,886][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:53,916][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:53,932][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:53,948][INFO ][o.o.p.PluginsService ] [ubuntu] PluginService:onIndexModule index:[.opensearch-sap-log-types-config/-nGA9_nZQ-GaasxqN350QA]
[2025-04-09T16:53:53,958][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:53,978][INFO ][o.o.c.r.a.AllocationService] [ubuntu] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.opensearch-sap-log-types-config][0]]]).
[2025-04-09T16:53:53,992][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:54,259][INFO ][o.o.s.l.LogTypeService ] [ubuntu] Loading builtin types!
[2025-04-09T16:53:54,260][INFO ][o.o.s.l.LogTypeService ] [ubuntu] Indexing [429] fieldMappingDocs from logTypes: 24
[2025-04-09T16:53:54,269][INFO ][o.o.s.l.LogTypeService ] [ubuntu] Loading builtin types!
[2025-04-09T16:53:54,270][INFO ][o.o.s.l.LogTypeService ] [ubuntu] Indexing [429] fieldMappingDocs from logTypes: 24
[2025-04-09T16:53:54,271][INFO ][o.o.s.i.DetectorIndexManagementService] [ubuntu] info deleteOldIndices
[2025-04-09T16:53:54,275][INFO ][o.o.s.i.DetectorIndexManagementService] [ubuntu] No Old Correlation Indices to delete
[2025-04-09T16:53:54,428][INFO ][o.o.s.l.LogTypeService ] [ubuntu] Indexing [429] fieldMappingDocs
[2025-04-09T16:53:54,430][INFO ][o.o.s.l.LogTypeService ] [ubuntu] Indexing [429] fieldMappingDocs
[2025-04-09T16:53:54,856][INFO ][o.o.s.l.LogTypeService ] [ubuntu] Loaded [429] field mapping docs successfully!
[2025-04-09T16:53:54,858][INFO ][o.o.s.l.LogTypeService ] [ubuntu] Loaded [429] field mapping docs successfully!
[2025-04-09T16:53:54,909][INFO ][o.o.s.i.DetectorIndexManagementService] [ubuntu] info deleteOldIndices
[2025-04-09T16:53:54,909][INFO ][o.o.s.i.DetectorIndexManagementService] [ubuntu] No Old Finding Indices to delete
[2025-04-09T16:53:54,915][INFO ][o.o.p.PluginsService ] [ubuntu] PluginService:onIndexModule index:[validate-template-k4ujypymthc4moxug1ijvq/WIRq2I9qTG2hT_JI7T0yrQ]
[2025-04-09T16:53:54,919][INFO ][o.o.s.i.DetectorIndexManagementService] [ubuntu] info deleteOldIndices
[2025-04-09T16:53:54,920][INFO ][o.o.s.i.DetectorIndexManagementService] [ubuntu] No Old Alert Indices to delete
[2025-04-09T16:53:54,928][INFO ][o.o.c.m.MetadataIndexTemplateService] [ubuntu] updating index template [tenant_template] for index patterns [.kibana_-_, .kibana_0*, .kibana_1, .kibana_2, .kibana_3, .kibana_4, .kibana_5, .kibana_6, .kibana_7, .kibana_8, .kibana_9*]
[2025-04-09T16:53:54,955][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:54:03,254][INFO ][o.o.m.a.MLModelAutoReDeployer] [ubuntu] Index not found, not performing auto reloading!
[2025-04-09T16:54:03,255][INFO ][o.o.m.c.MLCommonsClusterManagerEventListener] [ubuntu] Starting ML sync up job…
[2025-04-09T16:54:13,264][INFO ][o.o.m.c.MLSyncUpCron ] [ubuntu] ML configuration already initialized, no action needed
[2025-04-09T16:54:53,247][INFO ][o.o.i.i.ManagedIndexCoordinator] [ubuntu] Performing move cluster state metadata.
[2025-04-09T16:54:53,248][INFO ][o.o.i.i.MetadataService ] [ubuntu] ISM config index not exist, so we cancel the metadata migration job.
[2025-04-09T16:55:53,247][INFO ][o.o.i.i.ManagedIndexCoordinator] [ubuntu] Cancel background move metadata process.
[2025-04-09T16:55:53,248][INFO ][o.o.i.i.ManagedIndexCoordinator] [ubuntu] Performing move cluster state metadata.
[2025-04-09T16:55:53,248][INFO ][o.o.i.i.MetadataService ] [ubuntu] Move metadata has finished.
[2025-04-09T16:58:53,107][INFO ][o.o.j.s.JobSweeper ] [ubuntu] Running full sweep
[2025-04-09T16:58:53,251][INFO ][o.o.i.i.PluginVersionSweepCoordinator] [ubuntu] Canceling sweep ism plugin version job
[2025-04-09T17:03:53,108][INFO ][o.o.j.s.JobSweeper ] [ubuntu] Running full sweep
[2025-04-09T17:08:53,109][INFO ][o.o.j.s.JobSweeper ] [ubuntu] Running full sweep
[2025-04-09T17:10:47,955][INFO ][o.o.n.Node ] [ubuntu] stopping …
[2025-04-09T17:10:47,988][INFO ][o.o.n.Node ] [ubuntu] stopped
[2025-04-09T17:10:47,988][INFO ][o.o.n.Node ] [ubuntu] closing …
[2025-04-09T17:10:48,000][INFO ][o.o.n.Node ] [ubuntu] closed
mos@ubuntu:~$ sudo tail -n 50 /var/log/opensearch-dashboards/opensearch-dashboards.log
tail: cannot open ‘/var/log/opensearch-dashboards/opensearch-dashboards.log’ for reading: No such file or directory