When attempting to join nodes / authenticate TLS clients, OpenSearch throws:
Caused by: org.opensearch.OpenSearchException: Transport client authentication no longer supported.
at org.opensearch.security.ssl.util.ExceptionUtils.createTransportClientNoLongerSupportedException(ExceptionUtils.java:80) ~[?:?]
During debugging we discovered the DN values used in nodes_dn and plugins.security.authcz.admin_dn were textually the same, but the order of components in the Distinguished Name (DN) differed (e.g. CN=… , O=… , C=… vs C=… , O=… , CN=…). OpenSearch appears to validate DNs using RFC1779 format and fails authentication when the DN component order does not match the expected pattern even when the values themselves are identical.
Relevant documentation:
https://docs.opensearch.org/latest/troubleshoot/tls/#check-for-special-characters-and-white-space-in-dns
https://www.ietf.org/rfc/rfc1779.txt
Steps to reproduce:
- Generate certificate(s) for node/client with subject DN as CN=, O=, C= (order A).
- Configure plugins.security.nodes_dn using the same attribute values but in order B (e.g. C=, O=, CN=).
- Perform the same with plugins.security.authcz.admin_dn
- Restart node / attempt to join cluster.
- Observe the exception above and refused authentication.
Questions / requests
-
Is the strict string-order validation of DNs intentional and required for security? If so, could the docs be updated to explicitly call this out with examples and recommended formatting?
-
Would it be possible to make the DN comparison canonical (i.e., normalize/parse and compare attributes regardless of order) to reduce operator confusion while preserving security?
-
If canonical comparison is not acceptable, can the exception and log message be improved to indicate a DN ordering mismatch so the root cause is clearer?
-
Are there recommended best practices or tooling to ensure consistent DN ordering during certificate generation?
Thanks in advance.