SSL configuration

Versions 2.12

Describe the issue:
I try to set the security configuration but the URL is reachable (ERR_CONNECTION_REFUSED)
Since 2 Weeks I ask the AI but we cant found the right configuration.

Could you help me?

Thank you very much.

Configuration:
The server is running and the Apache2-index.html is displayed correctly under https.
I was able to access the dashboard without TSL configuration.

Then I configured the yml-files.
I set the rights for the certificates and utf.

Is there an error in the configuration files?

Interesting is, that no log file for dashbaord was found.

I only want to use all at the same server with shop. No specials.

Relevant Logs or Screenshots:

# ======================== OpenSearch Configuration =========================

#

# NOTE: OpenSearch comes with reasonable defaults for most settings.

# Before you set out to tweak and tune the configuration, make sure you

# understand what are you trying to accomplish and the consequences.

#

# The primary way of configuring a node is via this file. This template lists

# the most important settings you may want to configure for a production cluster.

#

# Please consult the documentation for further information on configuration options:

# https://www.opensearch.org

#

# ---------------------------------- Cluster -----------------------------------

#

# Use a descriptive name for your cluster:

#

cluster.name: XXX

#

# ------------------------------------ Node ------------------------------------

#

# Use a descriptive name for the node:

#

#node.name: node-1

#

# Add custom attributes to the node:

#

#node.attr.rack: r1

#

# ----------------------------------- Paths ------------------------------------

#

# Path to directory where to store the data (separate multiple locations by comma):

#

path.data: /var/lib/opensearch

#

# Path to log files:

#

path.logs: /var/log/opensearch

#

# ----------------------------------- Memory -----------------------------------

#

# Lock the memory on startup:

#

#bootstrap.memory_lock: true

#

# Make sure that the heap size is set to about half the memory available

# on the system and that the owner of the process is allowed to use this

# limit.

#

# OpenSearch performs poorly when the system is swapping the memory.

#

# ---------------------------------- Network -----------------------------------

#

# Set the bind address to a specific IP (IPv4 or IPv6):

#

network.host: 0.0.0.0

#

# Set a custom port for HTTP:

#

http.port: 9200

#

# For more information, consult the network module documentation.

#

# --------------------------------- Discovery ----------------------------------

#

# Pass an initial list of hosts to perform discovery when this node is started:

# The default list of hosts is ["127.0.0.1", "[::1]"]

#

#discovery.seed_hosts: ["host1", "host2"]

#

# Bootstrap the cluster using an initial set of cluster-manager-eligible nodes:

#

#cluster.initial_cluster_manager_nodes: ["node-1", "node-2"]

#

# For more information, consult the discovery and cluster formation module documentation.

#

discovery.type: single-node

#

# ---------------------------------- Gateway -----------------------------------

#

# Block initial recovery after a full cluster restart until N nodes are started:

#

#gateway.recover_after_nodes: 3

#

# For more information, consult the gateway module documentation.

#

# ---------------------------------- Various -----------------------------------

#

# Require explicit names when deleting indices:

#

#action.destructive_requires_name: true

#

# ---------------------------------- Remote Store -----------------------------------

# Controls whether cluster imposes index creation only with remote store enabled

# cluster.remote_store.enabled: true

#

# Repository to use for segment upload while enforcing remote store for an index

# node.attr.remote_store.segment.repository: my-repo-1

#

# Repository to use for translog upload while enforcing remote store for an index

# node.attr.remote_store.translog.repository: my-repo-1

#

# ---------------------------------- Experimental Features -----------------------------------

# Gates the visibility of the experimental segment replication features until they are production ready.

#

#opensearch.experimental.feature.segment_replication_experimental.enabled: false

#

# Gates the functionality of a new parameter to the snapshot restore API

# that allows for creation of a new index type that searches a snapshot

# directly in a remote repository without restoring all index data to disk

# ahead of time.

#

#opensearch.experimental.feature.searchable_snapshot.enabled: false

#

#

# Gates the functionality of enabling extensions to work with OpenSearch.

# This feature enables applications to extend features of OpenSearch outside of

# the core.

#

#opensearch.experimental.feature.extensions.enabled: false

#

#

# Gates the optimization of datetime formatters caching along with change in default datetime formatter

# Once there is no observed impact on performance, this feature flag can be removed.

#

#opensearch.experimental.optimization.datetime_formatter_caching.enabled: false

######## Start OpenSearch Security Demo Configuration ########

# WARNING: revise all the lines below before you go into production

plugins.security.ssl.transport.pemcert_filepath: esnode.pem

plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem

plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem

plugins.security.ssl.transport.enforce_hostname_verification: false

plugins.security.ssl.http.enabled: true

plugins.security.ssl.http.pemcert_filepath: esnode.pem

plugins.security.ssl.http.pemkey_filepath: esnode-key.pem

plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem

plugins.security.allow_unsafe_democertificates: true

plugins.security.allow_default_init_securityindex: true

plugins.security.authcz.admin_dn: ['CN=kirk,OU=client,O=client,L=test,C=de']

plugins.security.audit.type: internal_opensearch

plugins.security.enable_snapshot_restore_privilege: true

plugins.security.check_snapshot_restore_write_privileges: true

plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]

plugins.security.system_indices.enabled: true

plugins.security.system_indices.indices: [.plugins-ml-config, .plugins-ml-connector,

.plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task, .plugins-ml-conversation-meta,

.plugins-ml-conversation-interactions, .plugins-ml-memory-meta, .plugins-ml-memory-message,

.opendistro-alerting-config, .opendistro-alerting-alert*, .opendistro-anomaly-results*,

.opendistro-anomaly-detector*, .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state,

.opendistro-reports-*, .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability,

.ql-datasources, .opendistro-asynchronous-search-response*, .replication-metadata-store,

.opensearch-knn-models, .geospatial-ip2geo-data*, .plugins-flow-framework-config,

.plugins-flow-framework-templates, .plugins-flow-framework-state]

node.max_local_storage_nodes: 3

######## End OpenSearch Security Demo Configuration ########

plugins.security.disabled: false

---

# Copyright OpenSearch Contributors

# SPDX-License-Identifier: Apache-2.0

# Description:

# Default configuration for OpenSearch Dashboards

# OpenSearch Dashboards is served by a back end server. This setting specifies the port to use.

server.port: 5601

# Specifies the address to which the OpenSearch Dashboards server will bind. IP addresses and host names are both valid values.

# The default is 'localhost', which usually means remote machines will not be able to connect.

# To allow connections from remote users, set this parameter to a non-loopback address.

server.host: "0.0.0.0"

# Enables you to specify a path to mount OpenSearch Dashboards at if you are running behind a proxy.

# Use the `server.rewriteBasePath` setting to tell OpenSearch Dashboards if it should remove the basePath

# from requests it receives, and to prevent a deprecation warning at startup.

# This setting cannot end in a slash.

# server.basePath: ""

# Specifies whether OpenSearch Dashboards should rewrite requests that are prefixed with

# `server.basePath` or require that they are rewritten by your reverse proxy.

# server.rewriteBasePath: false

# The maximum payload size in bytes for incoming server requests.

# server.maxPayloadBytes: 1048576

# The OpenSearch Dashboards server's name. This is used for display purposes.

# server.name: "your-hostname"

# The URLs of the OpenSearch instances to use for all your queries.

# opensearch.hosts: ["http://localhost:9200"]

# OpenSearch Dashboards uses an index in OpenSearch to store saved searches, visualizations and

# dashboards. OpenSearch Dashboards creates a new index if the index doesn't already exist.

# opensearchDashboards.index: ".opensearch_dashboards"

# The default application to load.

# opensearchDashboards.defaultAppId: "home"

# Setting for an optimized healthcheck that only uses the local OpenSearch node to do Dashboards healthcheck.

# This settings should be used for large clusters or for clusters with ingest heavy nodes.

# It allows Dashboards to only healthcheck using the local OpenSearch node rather than fan out requests across all nodes.

#

# It requires the user to create an OpenSearch node attribute with the same name as the value used in the setting

# This node attribute should assign all nodes of the same cluster an integer value that increments with each new cluster that is spun up

# e.g. in opensearch.yml file you would set the value to a setting using node.attr.cluster_id:

# Should only be enabled if there is a corresponding node attribute created in your OpenSearch config that matches the value here

# opensearch.optimizedHealthcheckId: "cluster_id"

# If your OpenSearch is protected with basic authentication, these settings provide

# the username and password that the OpenSearch Dashboards server uses to perform maintenance on the OpenSearch Dashboards

# index at startup. Your OpenSearch Dashboards users still need to authenticate with OpenSearch, which

# is proxied through the OpenSearch Dashboards server.

# opensearch.username: "opensearch_dashboards_system"

# opensearch.password: "pass"

# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.

# These settings enable SSL for outgoing requests from the OpenSearch Dashboards server to the browser.

server.ssl.enabled: true

server.ssl.certificate: /etc/ssl/certs/cert_XXX.crt

server.ssl.key: /etc/ssl/private/private_XXX.de.pem

# If you want to enforce hostname verification (recommended)

plugins.security.ssl.http.enforce_hostname_verification: true # Set to false only in development# Enable SSL for transport communication if you're using multiple nodes

# Enable SSL for transport communication if you're using multiple nodes

#plugins.security.ssl.transport.enabled: true

#plugins.security.ssl.transport.pemcert_filepath: /etc/ssl/certs/cert_XXX.de.crt

#plugins.security.ssl.transport.pemkey_filepath: /etc/ssl/private/private_XXX.de.pem

#plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/ssl/certs/intermediate_XXX.de.crt

# Optional settings that provide the paths to the PEM-format SSL certificate and key files.

# These files are used to verify the identity of OpenSearch Dashboards to OpenSearch and are required when

# xpack.security.http.ssl.client_authentication in OpenSearch is set to required.

# opensearch.ssl.certificate: /path/to/your/client.crt

# opensearch.ssl.key: /path/to/your/client.key

# Optional setting that enables you to specify a path to the PEM file for the certificate

# authority for your OpenSearch instance.

# opensearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]

# To disregard the validity of SSL certificates, change this setting's value to 'none'.

# opensearch.ssl.verificationMode: full

# Time in milliseconds to wait for OpenSearch to respond to pings. Defaults to the value of

# the opensearch.requestTimeout setting.

# opensearch.pingTimeout: 1500

# Time in milliseconds to wait for responses from the back end or OpenSearch. This value

# must be a positive integer.

# opensearch.requestTimeout: 30000

# List of OpenSearch Dashboards client-side headers to send to OpenSearch. To send *no* client-side

# headers, set this value to [] (an empty list).

# opensearch.requestHeadersWhitelist: [ authorization ]

# Header names and values that are sent to OpenSearch. Any custom headers cannot be overwritten

# by client-side headers, regardless of the opensearch.requestHeadersWhitelist configuration.

# opensearch.customHeaders: {}

# Time in milliseconds for OpenSearch to wait for responses from shards. Set to 0 to disable.

# opensearch.shardTimeout: 30000

# Logs queries sent to OpenSearch. Requires logging.verbose set to true.

# opensearch.logQueries: false

# Specifies the path where OpenSearch Dashboards creates the process ID file.

# pid.file: /var/run/opensearchDashboards.pid

# Enables you to specify a file where OpenSearch Dashboards stores log output.

# logging.dest: stdout

# Set the value of this setting to true to suppress all logging output.

# logging.silent: false

# Set the value of this setting to true to suppress all logging output other than error messages.

# logging.quiet: false

# Set the value of this setting to true to log all events, including system usage information

# and all requests.

logging.verbose: true

# Set the interval in milliseconds to sample system and process performance

# metrics. Minimum is 100ms. Defaults to 5000.

# ops.interval: 5000

# Specifies locale to be used for all localizable strings, dates and number formats.

# Supported languages are the following: English - en , by default , Chinese - zh-CN .

# i18n.locale: "en"

# Set the allowlist to check input graphite Url. Allowlist is the default check list.

# vis_type_timeline.graphiteAllowedUrls: ['https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite']

# Set the blocklist to check input graphite Url. Blocklist is an IP list.

# Below is an example for reference

# vis_type_timeline.graphiteBlockedIPs: [

# //Loopback

# '127.0.0.0/8',

# '::1/128',

# //Link-local Address for IPv6

# 'fe80::/10',

# //Private IP address for IPv4

# '10.0.0.0/8',

# '172.16.0.0/12',

# '192.168.0.0/16',

# //Unique local address (ULA)

# 'fc00::/7',

# //Reserved IP address

# '0.0.0.0/8',

# '100.64.0.0/10',

# '192.0.0.0/24',

# '192.0.2.0/24',

# '198.18.0.0/15',

# '192.88.99.0/24',

# '198.51.100.0/24',

# '203.0.113.0/24',

# '224.0.0.0/4',

# '240.0.0.0/4',

# '255.255.255.255/32',

# '::/128',

# '2001:db8::/32',

# 'ff00::/8',

# ]

# vis_type_timeline.graphiteBlockedIPs: []

# opensearchDashboards.branding:

# logo:

# defaultUrl: ""

# darkModeUrl: ""

# mark:

# defaultUrl: ""

# darkModeUrl: ""

# loadingLogo:

# defaultUrl: ""

# darkModeUrl: ""

# faviconUrl: ""

# applicationTitle: ""

# Set the value of this setting to true to capture region blocked warnings and errors

# for your map rendering services.

# map.showRegionBlockedWarning: false%

# Set the value of this setting to false to suppress search usage telemetry

# for reducing the load of OpenSearch cluster.

# data.search.usageTelemetry.enabled: false

# 2.4 renames 'wizard.enabled: false' to 'vis_builder.enabled: false'

# Set the value of this setting to false to disable VisBuilder

# functionality in Visualization.

# vis_builder.enabled: false

# 2.4 New Experimental Feature

# Set the value of this setting to true to enable the experimental multiple data source

# support feature. Use with caution.

# data_source.enabled: false

# Set the value of these settings to customize crypto materials to encryption saved credentials

# in data sources.

# data_source.encryption.wrappingKeyName: 'changeme'

# data_source.encryption.wrappingKeyNamespace: 'changeme'

# data_source.encryption.wrappingKey: [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

# 2.6 New ML Commons Dashboards Feature

# Set the value of this setting to true to enable the ml commons dashboards

# ml_commons_dashboards.enabled: false

# 2.12 New experimental Assistant Dashboards Feature

# Set the value of this setting to true to enable the assistant dashboards

# assistant.chat.enabled: false

opensearch.hosts: [https://localhost:9200]

opensearch.ssl.verificationMode: none

opensearch.username: kibanaserver

opensearch.password: kibanaserver

opensearch.requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.multitenancy.enabled: true

opensearch_security.multitenancy.tenants.preferred: [Private, Global]

opensearch_security.readonly_mode.roles: [kibana_read_only]

# Use this setting if you are running opensearch-dashboards without https

opensearch_security.cookie.secure: false

mos@ubuntu:~$ sudo tail -n 50 /var/log/opensearch/opensearch.log
[sudo] password for mos:
[2025-04-09T16:53:53,577][INFO ][o.o.p.PluginsService ] [ubuntu] PluginService:onIndexModule index:[.kibana_92668751_admin_1/gHuBm7_IRA-FG8_U2Jlt-Q]
[2025-04-09T16:53:53,595][INFO ][o.o.p.PluginsService ] [ubuntu] PluginService:onIndexModule index:[.opendistro_security/5ehmEThTSvuKsV3lgl28Gg]
[2025-04-09T16:53:53,638][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:53,757][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:53,784][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:53,808][INFO ][o.o.p.PluginsService ] [ubuntu] PluginService:onIndexModule index:[.opensearch-observability/p4JN4uPbR0WboWf2kixSmw]
[2025-04-09T16:53:53,814][INFO ][o.o.p.PluginsService ] [ubuntu] PluginService:onIndexModule index:[.plugins-ml-config/KT-7qXtoTziP44f13gepLg]
[2025-04-09T16:53:53,821][INFO ][o.o.p.PluginsService ] [ubuntu] PluginService:onIndexModule index:[.kibana_1/3n5_i8QyTGeRQYEFxiStnA]
[2025-04-09T16:53:53,839][INFO ][o.o.p.PluginsService ] [ubuntu] PluginService:onIndexModule index:[security-auditlog-2025.04.03/nzSYbxRWRPa1WXFi_TYWgA]
[2025-04-09T16:53:53,863][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:53,886][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:53,916][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:53,932][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:53,948][INFO ][o.o.p.PluginsService ] [ubuntu] PluginService:onIndexModule index:[.opensearch-sap-log-types-config/-nGA9_nZQ-GaasxqN350QA]
[2025-04-09T16:53:53,958][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:53,978][INFO ][o.o.c.r.a.AllocationService] [ubuntu] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.opensearch-sap-log-types-config][0]]]).
[2025-04-09T16:53:53,992][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:53:54,259][INFO ][o.o.s.l.LogTypeService ] [ubuntu] Loading builtin types!
[2025-04-09T16:53:54,260][INFO ][o.o.s.l.LogTypeService ] [ubuntu] Indexing [429] fieldMappingDocs from logTypes: 24
[2025-04-09T16:53:54,269][INFO ][o.o.s.l.LogTypeService ] [ubuntu] Loading builtin types!
[2025-04-09T16:53:54,270][INFO ][o.o.s.l.LogTypeService ] [ubuntu] Indexing [429] fieldMappingDocs from logTypes: 24
[2025-04-09T16:53:54,271][INFO ][o.o.s.i.DetectorIndexManagementService] [ubuntu] info deleteOldIndices
[2025-04-09T16:53:54,275][INFO ][o.o.s.i.DetectorIndexManagementService] [ubuntu] No Old Correlation Indices to delete
[2025-04-09T16:53:54,428][INFO ][o.o.s.l.LogTypeService ] [ubuntu] Indexing [429] fieldMappingDocs
[2025-04-09T16:53:54,430][INFO ][o.o.s.l.LogTypeService ] [ubuntu] Indexing [429] fieldMappingDocs
[2025-04-09T16:53:54,856][INFO ][o.o.s.l.LogTypeService ] [ubuntu] Loaded [429] field mapping docs successfully!
[2025-04-09T16:53:54,858][INFO ][o.o.s.l.LogTypeService ] [ubuntu] Loaded [429] field mapping docs successfully!
[2025-04-09T16:53:54,909][INFO ][o.o.s.i.DetectorIndexManagementService] [ubuntu] info deleteOldIndices
[2025-04-09T16:53:54,909][INFO ][o.o.s.i.DetectorIndexManagementService] [ubuntu] No Old Finding Indices to delete
[2025-04-09T16:53:54,915][INFO ][o.o.p.PluginsService ] [ubuntu] PluginService:onIndexModule index:[validate-template-k4ujypymthc4moxug1ijvq/WIRq2I9qTG2hT_JI7T0yrQ]
[2025-04-09T16:53:54,919][INFO ][o.o.s.i.DetectorIndexManagementService] [ubuntu] info deleteOldIndices
[2025-04-09T16:53:54,920][INFO ][o.o.s.i.DetectorIndexManagementService] [ubuntu] No Old Alert Indices to delete
[2025-04-09T16:53:54,928][INFO ][o.o.c.m.MetadataIndexTemplateService] [ubuntu] updating index template [tenant_template] for index patterns [.kibana_-_, .kibana_0*, .kibana_1, .kibana_2, .kibana_3, .kibana_4, .kibana_5, .kibana_6, .kibana_7, .kibana_8, .kibana_9*]
[2025-04-09T16:53:54,955][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [ubuntu] Detected cluster change event for destination migration
[2025-04-09T16:54:03,254][INFO ][o.o.m.a.MLModelAutoReDeployer] [ubuntu] Index not found, not performing auto reloading!
[2025-04-09T16:54:03,255][INFO ][o.o.m.c.MLCommonsClusterManagerEventListener] [ubuntu] Starting ML sync up job…
[2025-04-09T16:54:13,264][INFO ][o.o.m.c.MLSyncUpCron ] [ubuntu] ML configuration already initialized, no action needed
[2025-04-09T16:54:53,247][INFO ][o.o.i.i.ManagedIndexCoordinator] [ubuntu] Performing move cluster state metadata.
[2025-04-09T16:54:53,248][INFO ][o.o.i.i.MetadataService ] [ubuntu] ISM config index not exist, so we cancel the metadata migration job.
[2025-04-09T16:55:53,247][INFO ][o.o.i.i.ManagedIndexCoordinator] [ubuntu] Cancel background move metadata process.
[2025-04-09T16:55:53,248][INFO ][o.o.i.i.ManagedIndexCoordinator] [ubuntu] Performing move cluster state metadata.
[2025-04-09T16:55:53,248][INFO ][o.o.i.i.MetadataService ] [ubuntu] Move metadata has finished.
[2025-04-09T16:58:53,107][INFO ][o.o.j.s.JobSweeper ] [ubuntu] Running full sweep
[2025-04-09T16:58:53,251][INFO ][o.o.i.i.PluginVersionSweepCoordinator] [ubuntu] Canceling sweep ism plugin version job
[2025-04-09T17:03:53,108][INFO ][o.o.j.s.JobSweeper ] [ubuntu] Running full sweep
[2025-04-09T17:08:53,109][INFO ][o.o.j.s.JobSweeper ] [ubuntu] Running full sweep
[2025-04-09T17:10:47,955][INFO ][o.o.n.Node ] [ubuntu] stopping …
[2025-04-09T17:10:47,988][INFO ][o.o.n.Node ] [ubuntu] stopped
[2025-04-09T17:10:47,988][INFO ][o.o.n.Node ] [ubuntu] closing …
[2025-04-09T17:10:48,000][INFO ][o.o.n.Node ] [ubuntu] closed

mos@ubuntu:~$ sudo tail -n 50 /var/log/opensearch-dashboards/opensearch-dashboards.log
tail: cannot open ‘/var/log/opensearch-dashboards/opensearch-dashboards.log’ for reading: No such file or directory

Hi @SoEgal,

Could you elaborate more on what you are trying to configure?
Are you trying to configure TLS for OpenSearch Dashboards?

If so, have you looked here:

Pay attention to the following:

server.ssl.enabled: true
server.ssl.certificate: /usr/share/opensearch-dashboards/config/client-cert.pem
server.ssl.key: /usr/share/opensearch-dashboards/config/client-cert-key.pem

best,
mj

I try to set all the security configurations.
I tested all installations without TLS, but now it’s time for the security.

I fight with AI right now and saw, I also have to configure OpenSearch.

plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem

Okay, I think I can do that.

But why I don’t have a log file for the dashboard? (I think about to install it again.)

I don’t understand the documentation. I don’t know why, but this ist to much for me. I think, I don’t need all these settings, cause I asked AI for the standard configuration, to use OpenSearch basically and only take a look at the dashboard to optimize the SEO for Google.

I have:

server.ssl.enabled: true
server.ssl.certificate: /etc/ssl/certs/cert_XXX.de.crt
server.ssl.key: /etc/ssl/private/private_XXX.de.pem

I’ll look for:

server.ssl.certificate: /usr/share/opensearch-dashboards/config/client-cert.pem
server.ssl.key: /usr/share/opensearch-dashboards/config/client-cert-key.pem

or is this the same in a different folder?
PS: I use the certificate for the server. AI meant I can use it, too or do I need a different?

Thanks for your answer.

Hi @SoEgal,

To start with, I would suggest ignoring your AI and reviewing and understanding the following:

The above will explain everything from “how to generate certificates” to “how to configure your cluster”.

Best,
mj

Thanks, I’ll do it.

Hello @Mantas,

I generated the self signed certificate, used for it a folder, I generated to find it later.
Now I want to generate the admin certificate, but here I read it has to save in

../config

" |Name|Description|
| — | — |
|plugins.security.ssl.transport.pemkey_filepath|Path to the certificate’s key file (PKCS #8), which must be under the config directory, specified using a relative path. Required.|

If I look at the sample data, it is saved under ../security/config

This folder doesn’t exist, ok, I can create it. No problem, but why do I can’t save it in my folder I have for my certificates or can I use it to?

I created opensearch/opensearch-certs.

Hope, you can help me. Thank you.

After a few time to understand what to do, I’ve a question, how to edit the script.
What do I have to set for CN?

is it for example CN=mywebsite(dot)com etc.?
And, for the admin my Name?

-subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=root.dns.a-record"

-subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=node1.dns.a-record"

-subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=client.dns.a-record"

admin-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=A"

I think, this part I also have to edit.

echo 'subjectAltName=DNS:node2.dns.a-record' > node2.ext

Thank you.

@SoEgal The values can be anything if you are not using hostname verification which I would recommend you turn off while testing this, and later turn on once you have everything else configured.

The -subj can be anything, for example: “/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=root”
“/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=node1”
“/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=client”
“/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=admin”

But you need to configure opensearch to accept the relevant CNs, using:

plugins.security.nodes_dn:

and

plugins.security.authcz.admin_dn:

Thanks @Anthony,

for this answer. It helps and after configuration, now it works.
So you said, I understand it.

At the moment, I still fight with SSL for the Dashboard.

I configured the opensearch_dashbord.yml
I don’t understand it and can’t open the dashboard-site, if I try to configurate it.
Unsafe I can open it.

# OpenSearch Dashboards is served by a back end server. This setting specifies the port to use.
server.port: 5601

# Specifies the address to which the OpenSearch Dashboards server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "0.0.0.0"

# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the OpenSearch Dashboards server to the browser.
server.ssl.enabled: true
server.ssl.certificate: /etc/opensearch/client.pem
server.ssl.key: /etc/opensearch/client-key.pem

# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files are used to verify the identity of OpenSearch Dashboards to OpenSearch and are required when
# xpack.security.http.ssl.client_authentication in OpenSearch is set to required.
opensearch.ssl.certificate: /etc/opensearch/client.pem
opensearch.ssl.key: /etc/opensearch/client-key.pem

# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your OpenSearch instance.
opensearch.ssl.certificateAuthorities: [ "/etc/opensearch/root-ca.pem" ]

opensearch.hosts: [https://0.0.0.0:9200]
# opensearch.ssl.verificationMode: none
opensearch.username: admin
opensearch.password: MYPASSWORD
opensearch.requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
# opensearch_security.readonly_mode.roles: [kibana_read_only]
# Use this setting if you are running opensearch-dashboards without https
opensearch_security.cookie.secure: true

Thanks a lot.

@SoEgal as a starting point I would remove the ssl validation, you can add this once everything is working.

Also, the user should not be admin, by default there is already a built in user kibanaserver, with password “kibanaserver”,

Therefore your opensearch_dashboards.yml file should look like this:

server.port: 5601
server.host: "0.0.0.0"

server.ssl.enabled: true
server.ssl.certificate: /etc/opensearch/client.pem
server.ssl.key: /etc/opensearch/client-key.pem

opensearch.hosts: [https://0.0.0.0:9200]

opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]

Can you confirm this works? Or what is the error you are seeing?

@Anthony thanks a lot.

Now all is running, but something went wrong. I think SSL is not working right.
What I did:

Thirst I added a opensearch-dashboard.yml in /usr/share/opensearch-dashboards/ , 'cause I couldn’t start dashboard from
/etc/opensearch-dashboards/opensearch_dashboards.yml

sudo mkdir -p /usr/share/opensearch-dashboards/config
sudo nano /usr/share/opensearch-dashboards/config/opensearch_dashboards.yml

It`s running at SSL-Port 9243

server.port: 5601
server.host: "0.0.0.0"

server.ssl.enabled: true
server.ssl.certificate: /etc/opensearch/client.pem
server.ssl.key: /etc/opensearch/client-key.pem

opensearch.ssl.certificateAuthorities: ["/etc/opensearch/root-ca.pem"]

opensearch.hosts: [https://MY-IP-ADDRESS:9243]

opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]

opensearch.yml

####################### Configuration #######################
#
# ---------------------------------- Network -----------------------------------
network.host: 0.0.0.0
http.port: 9243
#
# ----------------------------------- Paths -------------------------------------
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
#
# --------------------------------- Discovery ----------------------------------
discovery.type: single-node
#
# ---------------------------------- max nodes ---------------------------------
node.max_local_storage_nodes: 3
#
# ---------------------------------- Security ----------------------------------
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/node1.pem
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem
# Optional: Enforce hostname verification (empfohlen zu aktivieren, wenn Zertifikate korrekt sind)
plugins.security.ssl.transport.enforce_hostname_verification: false
#
# Transport-SSL (Kommunikation zwischen Nodes)
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/node1.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem
#
# Sicherheitseinstellungen
plugins.security.disabled: false
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices:
  - .plugins-ml-config
  - .plugins-ml-connector
  - .plugins-ml-model-group
  - .plugins-ml-model
  - .plugins-ml-task
  - .plugins-ml-conversation-meta
  - .plugins-ml-conversation-interactions
  - .plugins-ml-memory-meta
  - .plugins-ml-memory-message
  - .opendistro-alerting-config
  - .opendistro-alerting-alert*
  - .opendistro-anomaly-results*
  - .opendistro-anomaly-detector*
  - .opendistro-anomaly-checkpoints
  - .opendistro-anomaly-detection-state
  - .opendistro-reports-*
  - .opensearch-notifications-*
  - .opensearch-notebooks
  - .opensearch-observability
  - .ql-datasources
  - .opendistro-asynchronous-search-response*
  - .replication-metadata-store
  - .opensearch-knn-models
  - .geospatial-ip2geo-data*
  - .plugins-flow-framework-config
  - .plugins-flow-framework-templates
  - .plugins-flow-framework-state
#
plugins.security.allow_default_init_securityindex: true
#
plugins.security.authcz.admin_dn: ['CN=ADMIN,OU=xxx,O=xxx,L=xxx,ST=xxx,C=xx']
#
plugins.security.nodes_dn: ['CN=node1.xxx,OU=xxx,O=xxx,L=xxx,ST=xxx,C=xx']
#
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
#
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
####################### End Configuration #######################

I dont’t know why, but I don’t have a error-log in /var/log/opensearch-dashboards/
If I start opensearch-dashboard in Terminal, I get some errors and warnings.

mos@ubuntu:~$ /usr/share/opensearch-dashboards/bin/opensearch-dashboards
  log   [08:17:11.151] [info][plugins-service] Plugin "dataSourceManagement" has been disabled since the following direct or transitive dependencies are missing or disabled: [dataSource]
  log   [08:17:11.157] [info][plugins-service] Plugin "dataSource" is disabled.
  log   [08:17:11.158] [info][plugins-service] Plugin "visTypeXy" is disabled.
  log   [08:17:11.197] [warning][config][deprecation] "opensearch.requestHeadersWhitelist" is deprecated and has been replaced by "opensearch.requestHeadersAllowlist"
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
  log   [08:17:11.380] [info][plugins-system] Setting up [52] plugins: [usageCollection,opensearchDashboardsUsageCollection,mapsLegacy,opensearchDashboardsLegacy,share,opensearchUiShared,embeddable,legacyExport,expressions,data,securityAnalyticsDashboards,home,apmOss,savedObjects,reportsDashboards,searchRelevanceDashboards,dashboard,mlCommonsDashboards,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,anomalyDetectionDashboards,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,queryWorkbenchDashboards,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,assistantDashboards,observabilityDashboards,bfetch]
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
  log   [08:17:11.754] [info][savedobjects-service] Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations...
  log   [08:17:11.816] [info][savedobjects-service] Starting saved objects migrations
  log   [08:17:11.888] [warning][cross-compatibility-service] Starting cross compatibility service
  log   [08:17:11.889] [info][plugins-system] Starting [52] plugins: [usageCollection,opensearchDashboardsUsageCollection,mapsLegacy,opensearchDashboardsLegacy,share,opensearchUiShared,embeddable,legacyExport,expressions,data,securityAnalyticsDashboards,home,apmOss,savedObjects,reportsDashboards,searchRelevanceDashboards,dashboard,mlCommonsDashboards,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,anomalyDetectionDashboards,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,queryWorkbenchDashboards,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,assistantDashboards,observabilityDashboards,bfetch]
  log   [08:17:12.095] [info][listening] Server running at https://0.0.0.0:5601
  log   [08:17:12.330] [info][server][OpenSearchDashboards][http] http server running at https://0.0.0.0:5601
 error  [08:17:52.929] [error][client][connection] Error: 40CCA85101780000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46

[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
 error  [08:17:53.333] [error][client][connection] Error: 40CCA85101780000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46

 error  [08:17:53.387] [error][client][connection] Error: 40CCA85101780000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46

 error  [08:17:53.401] [error][client][connection] Error: 40CCA85101780000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46

 error  [08:17:53.808] [error][client][connection] Error: 40CCA85101780000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46

 error  [08:17:53.819] [error][client][connection] Error: 40CCA85101780000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46

[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead

I don’t understand why I cant use the user-data from opensearch. It’s not running with it. Only with kibanaserver, but I have to log into dashboard with my data “admin and MYPASS”, I set while installation.

sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=MYPASS apt-get install opensearch=2.12.0

I have made all certificates and keys from the docs with same names. Do I linked not the right one?

[Generating self-signed certificates - OpenSearch Documentation]

It would be fine that it’s working for production not for testing. I only want to use it as user for Magento2 commerce. It should work before installing Magento.

dashboard2135×1462 137 KB

opensearch-port1518×821 94.2 KB

I know these are many information, but hope, this is all to fix my problems.

Thank you very much in advance.

Can you remove line opensearch.ssl.certificateAuthorities: ["/etc/opensearch/root-ca.pem"] from dashboards.yml file.

Regarding admin user vs kibanaserver, kibanaserver user is the user dashboards needs to access opensearch with, its mapped to the relevant permissions out of the box. The admin user is actual user that can login and do all the actions.

Can you confirm that after making that change to dashboards.yml file, you are still unable to access dashboards?

If so, are you able to access opensearch using curl with admin user?

curl -k -XGET https://<IP>:9243 -uadmin:<password>

@Anthony thank you I did it.

mos@ubuntu:~$ curl -k -XGET https://XXX.XXX.XXX.X:9243 -uadmin:XXXXXXXXXX
{
  "name" : "ubuntu",
  "cluster_name" : "opensearch",
  "cluster_uuid" : "pMHGwTWAR72wxVAmySbz8g",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.12.0",
    "build_type" : "deb",
    "build_hash" : "2c355ce1a427e4a528778d4054436b5c4b756221",
    "build_date" : "2024-02-20T02:18:31.541484890Z",
    "build_snapshot" : false,
    "lucene_version" : "9.9.2",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

If I open dashboard in browser I get these errors in Terminal
I don’t know if it is normal, cause I use openssl-certificates?

 error  [10:04:46.216] [error][client][connection] Error: 407C4820E4700000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46

 error  [10:04:46.601] [error][client][connection] Error: 407C4820E4700000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46

 error  [10:04:46.648] [error][client][connection] Error: 407C4820E4700000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46

 error  [10:04:46.652] [error][client][connection] Error: 407C4820E4700000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46

 error  [10:04:47.118] [error][client][connection] Error: 407C4820E4700000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46

 error  [10:04:47.126] [error][client][connection] Error: 407C4820E4700000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46

Kind regards.

But is dashboards working as expected?

dashboard12121×1376 84.9 KB

I think so.

Should I change this setting?

log   [10:04:22.642] [warning][config][deprecation] "opensearch.requestHeadersWhitelist" is deprecated and has been replaced by "opensearch.requestHeadersAllowlist"

Yes, that setting is deprecated and should be changed, but the cluster will perform as normal until that is done, just additional logs.

The errors in the logs are most likely result of not validating the certificates. You can configure this as part of your next steps if necessary. But glad its working for you.

Thank you very much.
You helped me, to understand a little bit the configuration.

OK. Now I changed it and this warning in gone.

I’ll check Let’s Encrypt for validated Certificates for the future, but first I just think about, I could check the permissions again. Otherwise I don’t know what’s wrong with the certificates.

Thank you so much and have a nice day.