SSL issue when server is restarted

m.guareno · November 28, 2022, 4:14pm

Versions
Opensearch 1.3.5
CentOS Linux 7 (Core)

Describe the issue:
Opensearch’s logs show an error related to SSL when this configuration should by completely disabled.
This error appears when the server is restarted. If we start the service manually, there is no problem.

Configuration:

[root@opensearch1-03 opensearch]# grep -vE '^#|^$' /etc/opensearch/opensearch.yml
cluster.name: ****_els
node.name: opensearch1-03
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["10.210.147.139", "10.210.147.140", "10.210.147.145"]
plugins.security.ssl.http.enabled: false
plugins.security.disabled: true
node.max_local_storage_nodes: 3

Relevant Logs or Screenshots:
opensearch.log

[2022-09-28T12:07:48,705][INFO ][o.o.s.a.i.AuditLogImpl   ] [elasticsearch1-03] Auditing will watch <NONE> for write requests.
[2022-09-28T12:07:48,705][INFO ][o.o.s.a.i.AuditLogImpl   ] [elasticsearch1-03] .opendistro_security is used as internal security index.
[2022-09-28T12:07:48,705][INFO ][o.o.s.a.i.AuditLogImpl   ] [elasticsearch1-03] Internal index used for posting audit logs is null
[2022-09-28T12:07:48,706][INFO ][o.o.s.c.ConfigurationRepository] [elasticsearch1-03] Hot-reloading of audit configuration is enabled
[2022-09-28T12:07:48,706][INFO ][o.o.s.c.ConfigurationRepository] [elasticsearch1-03] Node 'elasticsearch1-03' initialized
[2022-09-28T12:08:04,619][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [elasticsearch1-03] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a557365722d4167656e743a206375726c2f372e32392e300d0a486f73743a206c6f63616c686f73743a393230300d0a4163636570743a202a2f2a0d0a0d0a
io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a557365722d4167656e743a206375726c2f372e32392e300d0a486f73743a206c6f63616c686f73743a393230300d0a4163636570743a202a2f2a0d0a0d0a
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1215) ~[netty-handler-4.1.79.Final.jar:4.1.79.Final]
	...
	at java.lang.Thread.run(Thread.java:829) [?:?]
[2022-09-28T12:08:04,627][INFO ][o.o.c.m.MetadataCreateIndexService] [elasticsearch1-03] [security-auditlog-2022.09.28] creating index, cause [auto(bulk api)], templates [], shards [1]/[1]
[2022-09-28T12:08:04,626][WARN ][o.o.h.AbstractHttpServerTransport] [elasticsearch1-03] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=0.0.0.0/0.0.0.0:9200, remoteAddress=null}
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a557365722d4167656e743a206375726c2f372e32392e300d0a486f73743a206c6f63616c686f73743a393230300d0a4163636570743a202a2f2a0d0a0d0a
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:480) ~[netty-codec-4.1.79.Final.jar:4.1.79.Final]
	...
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.79.Final.jar:4.1.79.Final]
	at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a557365722d4167656e743a206375726c2f372e32392e300d0a486f73743a206c6f63616c686f73743a393230300d0a4163636570743a202a2f2a0d0a0d0a
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:449) ~[netty-codec-4.1.79.Final.jar:4.1.79.Final]
	... 16 more
[2022-09-28T12:08:04,831][INFO ][o.o.c.m.MetadataMappingService] [elasticsearch1-03] [security-auditlog-2022.09.28/iZarWrkWRmaxIqoOlrYnPQ] create_mapping [_doc]
[2022-09-28T12:08:11,265][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [elasticsearch1-03] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a557365722d4167656e743a206375726c2f372e32392e300d0a486f73743a206c6f63616c686f73743a393230300d0a4163636570743a202a2f2a0d0a0d0a
io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a557365722d4167656e743a206375726c2f372e32392e300d0a486f73743a206c6f63616c686f73743a393230300d0a4163636570743a202a2f2a0d0a0d0a
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1215) ~[netty-handler-4.1.79.Final.jar:4.1.79.Final]
	...
	at java.lang.Thread.run(Thread.java:829) [?:?]
[2022-09-28T12:08:11,268][WARN ][o.o.h.AbstractHttpServerTransport] [elasticsearch1-03] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=0.0.0.0/0.0.0.0:9200, remoteAddress=null}
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a557365722d4167656e743a206375726c2f372e32392e300d0a486f73743a206c6f63616c686f73743a393230300d0a4163636570743a202a2f2a0d0a0d0a
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:480) ~[netty-codec-4.1.79.Final.jar:4.1.79.Final]
	...
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.79.Final.jar:4.1.79.Final]
	at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a557365722d4167656e743a206375726c2f372e32392e300d0a486f73743a206c6f63616c686f73743a393230300d0a4163636570743a202a2f2a0d0a0d0a
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1215) ~[netty-handler-4.1.79.Final.jar:4.1.79.Final]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1285) ~[netty-handler-4.1.79.Final.jar:4.1.79.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:510) ~[netty-codec-4.1.79.Final.jar:4.1.79.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:449) ~[netty-codec-4.1.79.Final.jar:4.1.79.Final]
	... 16 more
[2022-09-28T12:08:26,468][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [elasticsearch1-03] Exception during establishing a SSL connection: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a557365722d4167656e743a206375726c2f372e32392e300d0a486f73743a206c6f63616c686f73743a393230300d0a4163636570743a202a2f2a0d0a0d0a
io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a557365722d4167656e743a206375726c2f372e32392e300d0a486f73743a206c6f63616c686f73743a393230300d0a4163636570743a202a2f2a0d0a0d0a
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1215) ~[netty-handler-4.1.79.Final.jar:4.1.79.Final]
	...
	at java.lang.Thread.run(Thread.java:829) [?:?]
[2022-09-28T12:08:26,469][WARN ][o.o.h.AbstractHttpServerTransport] [elasticsearch1-03] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=0.0.0.0/0.0.0.0:9200, remoteAddress=null}
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a557365722d4167656e743a206375726c2f372e32392e300d0a486f73743a206c6f63616c686f73743a393230300d0a4163636570743a202a2f2a0d0a0d0a
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:480) ~[netty-codec-4.1.79.Final.jar:4.1.79.Final]
	...
	at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a557365722d4167656e743a206375726c2f372e32392e300d0a486f73743a206c6f63616c686f73743a393230300d0a4163636570743a202a2f2a0d0a0d0a
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1215) ~[netty-handler-4.1.79.Final.jar:4.1.79.Final]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1285) ~[netty-handler-4.1.79.Final.jar:4.1.79.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:510) ~[netty-codec-4.1.79.Final.jar:4.1.79.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:449) ~[netty-codec-4.1.79.Final.jar:4.1.79.Final]
	... 16 more
[2022-09-28T12:08:40,226][INFO ][o.o.n.Node               ] [elasticsearch1-03] stopping ...
[2022-09-28T12:08:40,226][INFO ][o.o.s.a.r.AuditMessageRouter] [elasticsearch1-03] Closing AuditMessageRouter
[2022-09-28T12:08:40,228][INFO ][o.o.s.a.s.SinkProvider   ] [elasticsearch1-03] Closing InternalOpenSearchSink
[2022-09-28T12:08:40,228][INFO ][o.o.s.a.s.SinkProvider   ] [elasticsearch1-03] Closing DebugSink
[2022-09-28T12:08:40,338][INFO ][o.o.n.Node               ] [elasticsearch1-03] stopped
[2022-09-28T12:08:40,338][INFO ][o.o.n.Node               ] [elasticsearch1-03] closing ...
[2022-09-28T12:08:40,344][INFO ][o.o.s.a.i.AuditLogImpl   ] [elasticsearch1-03] Closing AuditLogImpl
[2022-09-28T12:08:40,348][INFO ][o.o.n.Node               ] [elasticsearch1-03] closed

messages

Nov 28 00:13:31 opensearch1-03 systemd[1]: Starting OpenSearch...
Nov 28 00:14:47 opensearch1-03 systemd[1]: opensearch.service start operation timed out. Terminating.
Nov 28 00:14:47 opensearch1-03 systemd[1]: Failed to start OpenSearch.
Nov 28 00:14:47 opensearch1-03 systemd[1]: Unit opensearch.service entered failed state.
Nov 28 00:14:47 opensearch1-03 systemd[1]: opensearch.service failed.

m.guareno · November 30, 2022, 8:48am

Does nobody know what’s going on?

Topic		Replies	Views
Opensearch configuration OpenSearch configure , install , security-issue	4	619	June 16, 2023
SSL Error on ElasticSearch Cluster from kibana Security	1	761	March 11, 2021
SSL integration for OpenSearch dashboard Security troubleshoot	1	1312	March 21, 2022
Issue with OpenSearch dashboard TLS Configuration Security troubleshoot	14	1580	June 1, 2023
Security issue while dumping logs to opensearch dashboards OpenSearch	8	205	November 9, 2023

SSL issue when server is restarted

Related Topics