SSL doesn't work

Opensearch 3.0 - Dashboard 3.0

I’m working for a customers, my cluster is composed by 3 master and 9 datanode. I set a basic configuration of opensearch.yml (i disable security plugin) and the cluster work. I’ve tried a curl : curl -XGET http://localhost:9200/_cat/nodes , and i see all my nodes in the cluster.

Today the customers give e the certificated signed by the company CA. I update the configuration but when i try to do a curl using HTTPS i have this response : OpenSearch Security not initialized

cluster.name: opensearch
node.name: opensearch-master-01
node.roles: [ cluster_manager ]
network.host: 0.0.0.0

path.data: "/mnt/opensearch"
path.logs: "/var/log/opensearch"

discovery.seed_hosts: ["10.174.110.159", "10.174.110.149", "10.174.110.124"]
#cluster.initial_cluster_manager_nodes: ["10.174.110.159", "10.174.110.149", "10.174.110.124"]

plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/certs/vmgclalte1757.syssede.systest.cer
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/certs/vmgclalte1757.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/certs/CA_Enhanced.pem

plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/certs/vmgclalte1757.syssede.systest.cer
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/certs/vmgclalte1757.key
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/certs/CA_Enhanced.pem

bootstrap.system_call_filter: false

I tried to run the security plugin script with the certification key and CA, but I got the following error

Security Admin v7
Will connect to localhost:9200 ... done
ERR: An unexpected ConnectionClosedException occured: Connection is closed
Trace:
org.apache.hc.core5.http.ConnectionClosedException: Connection is closed
        at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:1331)
        at org.opensearch.client.RestClient.performRequest(RestClient.java:371)
        at org.opensearch.client.RestClient.performRequest(RestClient.java:359)
        at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:541)
        at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:154)
Caused by: org.apache.hc.core5.http.ConnectionClosedException: Connection is closed
        at org.apache.hc.core5.http2.impl.nio.AbstractH2StreamMultiplexer.onException(AbstractH2StreamMultiplexer.java:668)
        at org.apache.hc.core5.http2.impl.nio.AbstractH2IOEventHandler.exception(AbstractH2IOEventHandler.java:91)
        at org.apache.hc.core5.http2.impl.nio.ClientH2IOEventHandler.exception(ClientH2IOEventHandler.java:39)
        at org.apache.hc.core5.reactor.ssl.SSLIOSession$1.exception(SSLIOSession.java:245)
        at org.apache.hc.core5.reactor.InternalDataChannel.onException(InternalDataChannel.java:181)
        at org.apache.hc.core5.reactor.InternalChannel.handleIOEvent(InternalChannel.java:55)
        at org.apache.hc.core5.reactor.SingleCoreIOReactor.processEvents(SingleCoreIOReactor.java:176)
        at org.apache.hc.core5.reactor.SingleCoreIOReactor.doExecute(SingleCoreIOReactor.java:125)
        at org.apache.hc.core5.reactor.AbstractSingleCoreIOReactor.execute(AbstractSingleCoreIOReactor.java:92)
        at org.apache.hc.core5.reactor.IOReactorWorker.run(IOReactorWorker.java:44)
        at java.base/java.lang.Thread.run(Thread.java:1583)

Can someone help me plz

Hi @abarocco,

Can you maybe check one of the master logs if you a related error?

Another thing - it might be nothing but are you using a YAML file for the OpenSearch configuration? If yes, can you please try to have the security snippet in the following format?

...

plugins:
  security:
    ssl:
      transport:
        pemcert_filepath: <path>
        pemkey_filepath: <path>
        pemtrustedcas_filepath: <path>
      http:
        enabled: true
        pemcert_filepath: <path>
        pemkey_filepath: <path>
        pemtrustedcas_filepath: <path>

...

Hello @paksydavid

Thanks for the help. I update the yaml config with your format and still working as the same as mine.

This are the master log

[2025-05-20T15:30:19,270][WARN ][i.n.c.AbstractChannelHandlerContext] [opensearch-master-01] An exception 'OpenSearchSecurityException[The provided TCP channel is invalid.]; nested: DecoderException[javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown]; nested: SSLHandshakeException[Received fatal alert: certificate_unknown];' [enable DEBUG level for full stacktrace] was thrown by a user handler's exceptionCaught() method while handling the following exception:
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:500) ~[?:?]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[?:?]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[?:?]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357) ~[?:?]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) ~[?:?]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868) ~[?:?]
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) ~[?:?]
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796) ~[?:?]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:697) ~[?:?]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:660) ~[?:?]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[?:?]
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998) ~[?:?]
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[?:?]
        at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130) ~[?:?]
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:370) ~[?:?]
        at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:287) ~[?:?]
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:209) ~[?:?]
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:736) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:691) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482) ~[?:?]
        at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679) ~[?:?]
        at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:309) ~[?:?]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1485) ~[?:?]
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1378) ~[?:?]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1427) ~[?:?]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[?:?]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[?:?]
        ... 16 more
[2025-05-20T15:30:19,293][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-master-01] Wait for cluster to be available ...

And i have also

[2025-05-20T15:44:18,121][WARN ][i.n.c.AbstractChannelHandlerContext] [opensearch-master-01] An exception 'OpenSearchSecurityException[The provided TCP channel is invalid.]; nested: DecoderException[javax.net.ssl.SSLHandshakeException: Extended key usage does not permit use for TLS client authentication]; nested: SSLHandshakeException[Extended key usage does not permit use for TLS client authentication]; nested: ValidatorException[Extended key usage does not permit use for TLS client authentication];' [enable DEBUG level for full stacktrace] was thrown by a user handler's exceptionCaught() method while handling the following exception:
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Extended key usage does not permit use for TLS client authentication
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:500) ~[?:?]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[?:?]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[?:?]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357) ~[?:?]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) ~[?:?]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868) ~[?:?]
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) ~[?:?]
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796) ~[?:?]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:697) ~[?:?]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:660) ~[?:?]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[?:?]
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998) ~[?:?]
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[?:?]
        at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
Caused by: javax.net.ssl.SSLHandshakeException: Extended key usage does not permit use for TLS client authentication
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130) ~[?:?]
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:383) ~[?:?]
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326) ~[?:?]
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321) ~[?:?]
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkClientCerts(CertificateMessage.java:1263) ~[?:?]
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1167) ~[?:?]
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1144) ~[?:?]
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1273) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260) ~[?:?]
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:714) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205) ~[?:?]
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1691) ~[?:?]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1537) ~[?:?]
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1378) ~[?:?]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1427) ~[?:?]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[?:?]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[?:?]
        ... 16 more
Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication
        at java.base/sun.security.validator.EndEntityChecker.checkTLSClient(EndEntityChecker.java:246) ~[?:?]
        at java.base/sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:151) ~[?:?]
        at java.base/sun.security.validator.Validator.validate(Validator.java:269) ~[?:?]
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:284) ~[?:?]
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:138) ~[?:?]
        at io.netty.handler.ssl.EnhancingX509ExtendedTrustManager.checkClientTrusted(EnhancingX509ExtendedTrustManager.java:62) ~[?:?]
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkClientCerts(CertificateMessage.java:1241) ~[?:?]
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1167) ~[?:?]
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1144) ~[?:?]
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1273) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260) ~[?:?]
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:714) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205) ~[?:?]
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1691) ~[?:?]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1537) ~[?:?]
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1378) ~[?:?]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1427) ~[?:?]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[?:?]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[?:?]
        ... 16 more

@paksydavid Hi , it is possible that the problem is my certificate need EKU clientAuth , but currently has serverAuth

So i have to create again my certificate?
I see this topic : Certificate configuration Error - #3 by Spagedicode

I would also like to tell you that I do not have the admin certificate because I do not want the security features to be affected by the securityadmin_demo.sh

In fact I also added these parameters in the configuration to manage them autonomously from the UI

plugins.security.allow_default_init_securityindex: true
plugins.security.restapi.roles_enabled: ["all_access"]

Hi @abarocco,

According to Configuring TLS certificates - OpenSearch Documentation you’ll need X.509 PEM certificate for plugins.security.ssl.transport.pemcert_filepath and plugins.security.ssl.http.pemcert_filepath, however as I see, you have a .cer file which is in different (DER) format.

As I understand, you can convert your DER file (.crt .cer .der) to PEM with openssl:

openssl x509 -inform der -in certificate.cer -out certificate.pem

and then configure the pem file instead. Can you please try this?

Yes, I believe you are on the right track with this.

Could not find certificate from vmgclalte1757.syssede.systest.cer.

My certificate is a correct PEM X.509 , it’s just the name that ends with .cer
I can verify that with

less vmgclalte1757.syssede.systest.cer

and i see the first line

-----BEGIN CERTIFICATE-----

Ok thansk you so much. Tomorrow i will try with the new Certs, then i will update you.

Best Regards
Andrea

@abarocco If this is the first time you’ve started the cluster with an enabled security configuration, then you’ll need to initialize the security plugin with securityadmin.sh

Regarding the securityadmin.sh, you must use the superadmin certificate defined in the admin_dn of opensearch.yml. That certificate must have only Client Authentication EKU.

Please also be aware that in production environment you must define the list of nodes DNs to allow for secured node communication.

Hello @pablo , yes, this is the first time i started the cluster. My goal was to not use securityadmin but I will manage myself the role mapping/access ecc… so i’ve decided to put in the opensearch.yml

plugins.security.allow_default_init_securityindex: true
plugins.security.restapi.roles_enabled: ["all_access"]

It is correct?

Best Regards
Andrea

@paksydavid Hi can you help me?

Now my certificate has both Server and Client Auth.
But i have same error.

It is correct using the same certificate for transport and https security?

i’ve put the certificate just in the master01 , i have to configure all the node early?

I cannot solve this problem

Andrea

This is correct, but since you’re not using demo configuration, you must initilize security configuration with securityadmin.sh

Yes, you can use the same cert for both.

Certificate configuration must be kept the same across all of the nodes in the cluster. Once you enable the security plugin, all nodes will require certificates to communicate with each other.
You can’t run nodes in the mixed secured/unsecured mode.

Ok thanks @pablo but tell me if this is correct.

Step 1 : Configure all the certificate on all the nodes

Step 2 : Is it right to have that logged on a single node? I expect that even if I configured only 1 node with security, at least in the logs I expected to see a different one logged

I have 1 certificate specific for any node. Example node1.pem → datanode 1 , node2.pem → datanode2 ecc…

For this settings :
plugins.security.authcz.admin_dn:

• “CN=node1,OU=IS,O=IS,L=Torino,ST=Torino,C=IT”

How i configure that? I don’t have an admin certificate, can i use one of my node per the script? Or i have to create one admin certificate with alle my CN = node1, node2, node3, node4 ecc…

Step 3 : run securityadmin.sh

my concern is that the certificate I insert before launching the script does not work because even though I configured it on a master and restarted the service I get the same log:

[The provided TCP channel is invalid.]; nested: DecoderException[javax.net.ssl.SSLHandshakeException: Extended key usage does not permit use for TLS client authentication]; nested: SSLHandshakeException[Extended key usage does not permit use for TLS client authentication]; nested: ValidatorException[Extended key usage does not permit use for TLS client authentication];' [enable DEBUG level for full stacktrace] was thrown by a user handler's exceptionCaught() method while handling the following exception:
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Extended key usage does not permit use for TLS client authentication

Andrea

@pablo and if i have to create an admin certificate, how i configure the certificate?

My nodes certifica are signed by customCA. Can i use a selfsigned cert? Or the admin cert must have to signed by the same CA as the nodes?

I have to use some *wildcards?

I don’t understand how admin certificate work.

Hi @abarocco,

I think you can create a self-signed admin certificate but I’m not sure if it will work with your other certs. As far as I understand, all certificates has to be signed by the same CA.

See:

Also as I saw, it is not supported to use a node certificate for admin certificate. This actually worked for me with OpenSearch 2.18 but it gave an ERROR that it is not supported anymore.

For how to configure the admin cert please see:

• Applying changes to configuration files - OpenSearch Documentation
• Configuring TLS certificates - OpenSearch Documentation
• Defining users and roles - OpenSearch Documentation

@paksydavid ok i will try.

But i don’t understand what information i have to confgiure in the admin certificate.

@abarocco as far as I understand, you can configure whatever subject you want in your admin certificate. Just it has to match with what you configure for plugins.security.authcz.admin_dn in your opensearch.yml file.

I create a new admin certificate. Now my opensearch.yml look like this:

cluster.name: opensearch-moncalieri
node.name: opensearch-master-01
node.roles: [ cluster_manager ]
network.host: 0.0.0.0

path.data: "/mnt/opensearch"
path.logs: "/var/log/opensearch"

discovery.seed_hosts: ["10.174.110.159", "10.174.110.149", "10.174.110.124"]
cluster.initial_cluster_manager_nodes: ["10.174.110.159", "10.174.110.149", "10.174.110.124"]

plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/certs/vmgclalte1757.syssede.systest.sanpaoloimi.com.cer
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/certs/vmgclalte1757.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/certs/CA_Servizi_Interni_Enhanced.pem
plugins.security.ssl.transport.enforce_hostname_verification: false

plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/certs/vmgclalte1757.syssede.systest.sanpaoloimi.com.cer
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/certs/vmgclalte1757.key
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/certs/chain.pem

plugins.security.authcz.admin_dn:
 - "CN=admin,OU=IS,O=IS,L=Torino,ST=Torino,C=IT"

plugins.security.allow_default_init_securityindex: true
plugins.security.restapi.roles_enabled: ["all_access"]
bootstrap.system_call_filter: false

From the doc i’ve seen that if i use another CA i have to concatenate both CA and put it in pemtrustedcas_filepath

I restart the cluster but same error

[2025-05-22T16:34:02,578][ERROR][o.o.s.t.SecurityRequestHandler] [opensearch-master-01] OpenSearchException[Node presenting certificate with SSL Principal {CN=vmgclalte1748.syssede.systest.sanpaoloimi.com,OU=Intesa Sanpaolo S.p.A.,O=Intesa Sanpaolo S.p.A.,L=Torino,ST=Torino,C=IT} could not securely connect to the cluster. Please ensure the principal is correct and present in the nodes_dn list.]

I don’t know what i’m wrong now

Andrea

As I mentioned before, you must configure nodes_dn in the production environment. Your config is missing that.

Try this in opensearch.yml in all nodes.

plugins.security.nodes_dn:
  - 'CN=*.syssede.systest.sanpaoloimi.com'

Aletrnatively you could try using nodes_dn.yml