“Transport Client Authentication no longer supported” join data and multi master node to cluster with security plugin enabled

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearch.x86_64 2.15.0-1

Describe the issue:
I can not join another master node and data node to existing cluster, here is my config file:

Configuration:

---
action.destructive_requires_name: "false"
bootstrap.memory_lock: "false"
cluster.initial_cluster_manager_nodes: ["es8-master-2"]
cluster.name: "es8-infra"
discovery.seed_hosts:
- "es8-master-2.mycompany.com"
- "es8-master-1.mycompany.com"
- "es8-master-3.mycompany.com"
http.port: "9200"
network.host:
- "ip-172-21-x-x.ap-southeast-1.compute.internal"
- "_local_"
network.publish_host: "es8-master-2.mycompany.com"
node.name: "es8-master-2"
node.roles:
- "remote_cluster_client"
- "cluster_manager"
- "data"
path.data:
- "/mnt/mycompany/es8-infra/opensearch"
path.logs: "/var/log/opensearch"
compatibility.override_main_response_version: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.audit.type: internal_opensearch
#plugins.security.disabled: true
plugins.security.allow_unsafe_democertificates: false
plugins.security.ssl_cert_reload_enabled: true
plugins.security.allow_default_init_securityindex: true
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-security", ".opensearch-observability"]
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.pemcert_filepath: "/etc/opensearch/config/master-2.pem"
plugins.security.ssl.transport.pemkey_filepath: "/etc/opensearch/config/master-2-key.pem"
plugins.security.ssl.transport.pemtrustedcas_filepath: "/etc/opensearch/config/root-ca.pem"
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: "/etc/opensearch/config/master-2.pem"
plugins.security.ssl.http.pemkey_filepath: "/etc/opensearch/config/master-2-key.pem"
plugins.security.ssl.http.pemtrustedcas_filepath: "/etc/opensearch/config/root-ca.pem"
plugins.security.authcz.admin_dn:
- CN=es8.mycompany.com,OU=Infra,O=mycompany,L=Ho\ Chi\ Minh\ City,ST=District\ 3,C=VN
plugins.security.nodes_dn:
- 'CN=*.mycompany.com'
- 'CN=es8-master-1.mycompany.com,OU=Infra,O=mycompany,L=Ho\ Chi\ Minh\ City,ST=District\ 3,C=VN'
- 'CN=es8-master-2.mycompany.com,OU=Infra,O=mycompany,L=Ho\ Chi\ Minh\ City,ST=District\ 3,C=VN'
- 'CN=es8-master-3.mycompany.com,OU=Infra,O=mycompany,L=Ho\ Chi\ Minh\ City,ST=District\ 3,C=VN'

Relevant Logs or Screenshots:
my init node cluster is es8-master-2 and here is the log:
[2024-07-24T10:34:55,300][ERROR][o.o.s.t.SecurityRequestHandler] [es8-master-2] OpenSearchException[Transport client authentication no longer supported.]

another master want to join cluster is es8-master-1, here is log:
[2024-07-24T10:34:56,301][WARN ][o.o.d.HandshakingTransportAddressConnector] [es8-master-1] handshake failed for [connectToRemoteMasterNode[172.21.x.x:9300]]
org.opensearch.transport.RemoteTransportException: [es8-master-2][172.21.x.x:9300][internal:transport/handshake]
Caused by: org.opensearch.OpenSearchException: Transport client authentication no longer supported.

Here is my verification cert:
❯ openssl x509 -subject -nameopt RFC2253 -noout -in master-2.pem
subject=CN=es8-master-2.mycompany.com,OU=Infra,O=mycompany,L=Ho Chi Minh City,ST=District 3,C=VN

It should be

plugins.security.nodes_dn:
- 'CN=*.mycompany.com'
- 'CN=es8-master-1.mycompany.com,OU=Infra,O=mycompany,L=Ho Chi Minh City,ST=District 3,C=VN'
- 'CN=es8-master-2.mycompany.com,OU=Infra,O=mycompany,L=Ho Chi Minh City,ST=District 3,C=VN'
- 'CN=es8-master-3.mycompany.com,OU=Infra,O=mycompany,L=Ho Chi Minh City,ST=District 3,C=VN'

You need to escape only commas if any.

It works. Thank you so much.
In addition, I have a hot data node with:

CN=es8-data-h-1.mycompany.com,OU=Infra,O=mycompany,L=Ho Chi Minh City,ST=District 3,C=VN

Seem like the wildcard -CN=*.mycompany.com didn’t work as expect
I have to add more than

plugins.security.nodes_dn:
- 'CN=es8-data-h-1.mycompany.com,OU=Infra,O=mycompany,L=Ho Chi Minh City,ST=District 3,C=VN'

and restart all master nodes to apply the config, that is inconvenient when any nodes want to join cluster. Is there any way to skip DNS subject alternative check to easy join cluster without restart all master nodes cluster

@huynguyenb3 Try this instead.

plugins.security.nodes_dn:
- 'CN=*.mycompany.com,OU=Infra,O=mycompany,L=Ho Chi Minh City,ST=District 3,C=VN'

plugins.security.authcz.admin_dn:
- CN=es8.mycompany.com,OU=Infra,O=mycompany,L=Ho\ Chi\ Minh\ City,ST=District\ 3,C=VN

You should also change this line to:

plugins.security.authcz.admin_dn:
- CN=es8.mycompany.com,OU=Infra,O=mycompany,L=Ho Chi Minh City,ST=District 3,C=VN

Otherwise your securityadmin.sh will fail to update the security configuration.
Please, be sure that the certificate in the admin_dn is only a client certificate instead of client+server.