"Transport client authentication no longer supported." error while implementing third party CA cert for transport layer

Security
1

NOTE: I have replaced the IP details and certificate names for privacy reasons. Please ignore that.
Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearch image version - 2.9.0-release-4.14.0-29.12.2023

Describe the issue:
We have deployed a 3rd party CA signed certificate at both http and transport layer as per below configuration in opensearch.yml; and in logs, we are getting error in pod logs;

WARN ][o.o.d.HandshakingTransportAddressConnector] [platform-opensearch-data-8] handshake failed for [connectToRemoteMasterNode[*.*.*.*:9300]]
org.opensearch.transport.RemoteTransportException: [platform-opensearch-master-0][*.*.*.*:9300][internal:transport/handshake]
Caused by: org.opensearch.OpenSearchException: Transport client authentication no longer supported.
        at org.opensearch.security.ssl.util.ExceptionUtils.createTransportClientNoLongerSupportedException(ExceptionUtils.java:68) ~[?:?]
        at org.opensearch.security.transport.SecurityRequestHandler.messageReceivedDecorate(SecurityRequestHandler.java:292) ~[?:?]
        at org.opensearch.security.ssl.transport.SecuritySSLRequestHandler.messageReceived(SecuritySSLRequestHandler.java:163) ~[?:?]
        at org.opensearch.security.OpenSearchSecurityPlugin$7$1.messageReceived(OpenSearchSecurityPlugin.java:756) ~[?:?]
        at org.opensearch.indexmanagement.rollup.interceptor.RollupInterceptor$interceptHandler$1.messageReceived(RollupInterceptor.kt:113) ~[?:?]
        at org.opensearch.performanceanalyzer.transport.PerformanceAnalyzerTransportRequestHandler.messageReceived(PerformanceAnalyzerTransportRequestHandler.java:43) ~[?:?]
        at org.opensearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:106) ~[opensearch-2.9.0.jar:2.9.0]
        at org.opensearch.transport.InboundHandler.handleRequest(InboundHandler.java:249) ~[opensearch-2.9.0.jar:2.9.0]
        at org.opensearch.transport.InboundHandler.messageReceived(InboundHandler.java:132) ~[opensearch-2.9.0.jar:2.9.0]
        at org.opensearch.transport.InboundHandler.inboundMessage(InboundHandler.java:114) ~[opensearch-2.9.0.jar:2.9.0]
        at org.opensearch.transport.TcpTransport.inboundMessage(TcpTransport.java:769) ~[opensearch-2.9.0.jar:2.9.0]
        at org.opensearch.transport.InboundPipeline.forwardFragments(InboundPipeline.java:175) ~[opensearch-2.9.0.jar:2.9.0]
        at org.opensearch.transport.InboundPipeline.doHandleBytes(InboundPipeline.java:150) ~[opensearch-2.9.0.jar:2.9.0]

Configuration:

   plugins:
      security:
        ssl:
          transport:
            pemcert_filepath: personal.crt
            pemkey_filepath: private.key
            pemtrustedcas_filepath: 3rdpartyCA.crt
            enforce_hostname_verification: false
          http:
            enabled: true
            pemcert_filepath: personal.crt
            pemkey_filepath: private.key
            pemtrustedcas_filepath: 3rdpartyCA.crt
        allow_unsafe_democertificates: true
        allow_default_init_securityindex: true
        authcz:
          admin_dn:
            - CN=kirk,OU=client,O=client,L=test,C=de
        enable_snapshot_restore_privilege: true

Relevant Logs or Screenshots:

2

Hi @V2nD,

What port are you connecting to?
Try specifying port 9200.

best,
mj

3

Hello @Mantas , Thank you for your response. This 9300 is being used for Transport layer and we are using 9200 for HTTP communication.
Can we use the same 9200 port for both HTTP and Transport?

4

Oh, I see, can you try listing DNs of all nodes in plugins.security.nodes_dn more info here: Configuring TLS certificates - OpenSearch Documentation

Let me know if that solved the issue.

Best,
mj

5

@Mantas ,

We have solved the case. Initially we did set the node_dn but that didn’t solve the case.
We have done the following and somehow things started working,

  • Add node_dn with CN name of the parent certificate we have installed(not the root or intermediate CN).
  • Set allow_unsafe_democertificates to false.
  • Set below environment varilable in the statefulset of master and data node.
           - name: DISABLE_INSTALL_DEMO_CONFIG
             value: "true"

Thank you team.

2 Likes
6

@V2nD, Thanks for sharing your solution!