SSL doesn't work

abarocco · May 22, 2025, 3:06pm

@pablo already tried

cluster.name: opensearch-moncalieri
node.name: opensearch-master-01
node.roles: [ cluster_manager ]
network.host: 0.0.0.0

path.data: "/mnt/opensearch"
path.logs: "/var/log/opensearch"

discovery.seed_hosts: ["10.174.110.159", "10.174.110.149", "10.174.110.124"]
cluster.initial_cluster_manager_nodes: ["10.174.110.159", "10.174.110.149", "10.174.110.124"]

plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/certs/vmgclalte1757.syssede.systest.sanpaoloimi.com.cer
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/certs/vmgclalte1757.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/certs/CA_Servizi_Interni_Enhanced.pem
plugins.security.ssl.transport.enforce_hostname_verification: false

plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/certs/vmgclalte1757.syssede.systest.sanpaoloimi.com.cer
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/certs/vmgclalte1757.key
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/certs/chain.pem

plugins.security.authcz.admin_dn:
 - "CN=admin,OU=IS,O=IS,L=Torino,ST=Torino,C=IT"
plugins.security.nodes_dn:
  - 'CN=*.syssede.systest.sanpaoloimi.com,OU=IS,O=IS,L=Torino,ST=Torino,C=IT'

plugins.security.allow_default_init_securityindex: true
plugins.security.restapi.roles_enabled: ["all_access"]
bootstrap.system_call_filter: false

abarocco · May 22, 2025, 3:28pm

For the Admin certificate, i’ve follow this documentation : Generating self-signed certificates - OpenSearch Documentation

But in my admin.pem certificate i don’t have client.auth Keyusage, is this the problem? @pablo

Why the doc don’t provide how to add the clientAuth?

abarocco · May 22, 2025, 3:42pm

Also tried with a new admin certificate with clientAuth but same problem

My logs :

[2025-05-22T17:42:06,040][WARN ][i.n.c.AbstractChannelHandlerContext] [opensearch-master-01] An exception 'OpenSearchSecurityException[The provided TCP channel is invalid.]; nested: DecoderException[javax.net.ssl.SSLHandshakeException: Extended key usage does not permit use for TLS client authentication]; nested: SSLHandshakeException[Extended key usage does not permit use for TLS client authentication]; nested: ValidatorException[Extended key usage does not permit use for TLS client authentication];' [enable DEBUG level for full stacktrace] was thrown by a user handler's exceptionCaught() method while handling the following exception:
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Extended key usage does not permit use for TLS client authentication
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:500) ~[?:?]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[?:?]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[?:?]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357) ~[?:?]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) ~[?:?]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868) ~[?:?]
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) ~[?:?]
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796) ~[?:?]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:697) ~[?:?]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:660) ~[?:?]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[?:?]
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998) ~[?:?]
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[?:?]
        at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
Caused by: javax.net.ssl.SSLHandshakeException: Extended key usage does not permit use for TLS client authentication
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130) ~[?:?]
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:383) ~[?:?]
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326) ~[?:?]
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321) ~[?:?]
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkClientCerts(CertificateMessage.java:1263) ~[?:?]
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1167) ~[?:?]
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1144) ~[?:?]
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1273) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260) ~[?:?]
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:714) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205) ~[?:?]
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1691) ~[?:?]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1537) ~[?:?]
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1378) ~[?:?]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1427) ~[?:?]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[?:?]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[?:?]
        ... 16 more
Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication
        at java.base/sun.security.validator.EndEntityChecker.checkTLSClient(EndEntityChecker.java:246) ~[?:?]
        at java.base/sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:151) ~[?:?]
        at java.base/sun.security.validator.Validator.validate(Validator.java:269) ~[?:?]
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:284) ~[?:?]
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:138) ~[?:?]
        at io.netty.handler.ssl.EnhancingX509ExtendedTrustManager.checkClientTrusted(EnhancingX509ExtendedTrustManager.java:62) ~[?:?]
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkClientCerts(CertificateMessage.java:1241) ~[?:?]
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1167) ~[?:?]
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1144) ~[?:?]
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1273) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260) ~[?:?]
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:714) ~[?:?]
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205) ~[?:?]
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1691) ~[?:?]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1537) ~[?:?]
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1378) ~[?:?]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1427) ~[?:?]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[?:?]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[?:?]
        ... 16 more

i finish my idea…i don’t know what i have to do…

abarocco · May 22, 2025, 6:57pm

@pablo @paksydavid any suggests?

pablo · May 23, 2025, 8:44am

@abarocco Could you share the output of the following commands?

openssl x509 -in <node_transport_cert> -noout -text | grep -A1 "Key Usage" 
openssl x509 -in <node_transport_cert> -noout subject

openssl x509 -in <node_http_cert> -noout -text | grep -A1 "Key Usage" 
openssl x509 -in <node_http_cert> -noout subject

openssl x509 -in <admin_cert> -noout -text | grep -A1 "Key Usage" 
openssl x509 -in <admin_cert> -noout subject

abarocco · May 23, 2025, 9:52am

Hi @pablo all works fine now

Topic		Replies	Views
Have a problem to enable security OpenSearch discuss , troubleshoot , configure , install	6	1579	November 28, 2023
Unable to configure newly generated SSL certificates on a 3 node opensearch cluster Security configure	3	643	April 20, 2022
OpenSearch is not working after provide SSL certificates Security troubleshoot , configure , security-issue	21	806	December 9, 2024
Opensearch cluster : OpenSearch Security not initialized Security	5	320	December 8, 2024
Unable to apply SSL certificate Security	5	240	July 23, 2024

SSL doesn't work

Related topics