Unable to configure newly generated SSL certificates on a 3 node opensearch cluster

thx1226 · April 12, 2022, 10:05pm

Unable to configure newly generated SSL certificates on a 3 node OpenSearch cluster running on 3 VM’s respectively

We initially deployed this cluster using the demo certificates which was successfully and no issues were seen whatsoever

New SSL Certificates are generated and we were trying to apply these to our cluster

Updated opensearch.yml as below -

cluster.name: opensearch-el
node.name: opensearch-node1
path.data: /home/epadmin/opensearch-1.3.1/data
path.logs: /home/epadmin/opensearch-1.3.1/logs
network.host: 172.xx.xx.xx
http.port: 9200
discovery.seed_hosts: [“172.xx.xx.xx”, “172.xx.xx.xx”, “172.xx.xx.xx”]
cluster.initial_master_nodes: [“172.16.26.xx”, “172.16.26.xx”, “172.16.26.xx”]

######## Start OpenSearch Security Demo Configuration ########

WARNING: revise all the lines below before you go into production

plugins.security.ssl.transport.pemcert_filepath: /home/epadmin/cert/node.pem
plugins.security.ssl.transport.pemkey_filepath: /home/epadmin/cert/node-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /home/epadmin/cert/root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /home/epadmin/cert/node.pem
plugins.security.ssl.http.pemkey_filepath: /home/epadmin/cert/node-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /home/epadmin/cert/root-ca.pem
plugins.security.allow_unsafe_democertificates: false
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:

CN=A,OU=yyz.local,O=ey,L=TORONTO,ST=ONTARIO,C=CA
plugins.security.nodes_dn:
CN=openshnode.yyz.local,OU=yyz.local,O=ey,L=TORONTO,ST=ONTARIO,C=CA
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [“.plugins-ml-model”, “.plugins-ml-task”, “.opendistro-alerting-config”, “.opendistro-alerting-alert*”, “.opendistro-anomaly-results*”, “.opendistro-anomaly-detector*”, “.opendistro-anomaly-checkpoints”, “.opendistro-anomaly-detection-state”, “.opendistro-reports-", ".opensearch-notifications-”, “.opensearch-notebooks”, “.opensearch-observability”, “.opendistro-asynchronous-search-response*”, “.replication-metadata-store”]
node.max_local_storage_nodes: 3
######## End OpenSearch Security Demo Configuration ########

Ran securityadmin.sh and getting below error -

epadmin@opensearch-node1:~/opensearch-1.3.1/config$ /home/epadmin/opensearch-1.3.1/plugins/opensearch-security/tools/securityadmin.sh -cd “/home/epadmin/opensearch-1.3.1/plugins/opensearch-security/securityconfig” -cn opensearch-el -key “/home/epadmin/cert/admin-key.pem” -cert “/home/epadmin/cert/admin.pem” -cacert “/home/epadmin/cert/root-ca.pem” -nhnv -h 172.xx.xx.xx
WARNING: nor OPENSEARCH_JAVA_HOME nor JAVA_HOME is set, will use /usr/bin/java
Security Admin v7
Will connect to 172.xx.xx.xx:9300 … done
ERR: Cannot connect to OpenSearch. Please refer to opensearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{_i_ZQ_czTJeiXrmaMy17Vw}{172.xx.xx.xx}{172.xx.xx.xx:9300}]]
at org.opensearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:381)
at org.opensearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:272)
at org.opensearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:79)
at org.opensearch.client.transport.TransportClient.doExecute(TransportClient.java:484)
at org.opensearch.client.support.AbstractClient.execute(AbstractClient.java:433)
at org.opensearch.client.support.AbstractClient.execute(AbstractClient.java:419)
at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:524)
at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:157)

Any help in this regard is much appreciated as we are running a little behind timelines

Thanks in advance !

Anthony · April 13, 2022, 9:28am

@thx1226 Did you follow this guide when creating certificates?

Can you try to place the certificates in opensearch/config directory and reference relative path (not absolute) as follows in config:
plugins.security.ssl.transport.pemcert_filepath: node.pem
…

thx1226 · April 13, 2022, 1:54pm

I will try this tonight , thanks much !

thx1226 · April 20, 2022, 5:06pm

@Anthony I was able to set this up finally ( sorry for the late confirmation ) , ran the default security admin script that made the cluster setup a success with the default certs , then modified the opensearch.yaml with new cert values and redeployed ! Thanks for your help here , cheers !

Topic		Replies	Views
Opensearch-2.3.0 multinode SSL setup issue Security troubleshoot , configure , install	13	830	December 10, 2022
Unable to apply SSL certificate Security	5	96	July 23, 2024
TLS configuration with organizational certs Security troubleshoot , configure	2	617	January 21, 2022
Received fatal alert: certificate_unknown - cluster Security	1	1151	July 6, 2023
Unable to update TLS certificates Security troubleshoot	4	458	May 9, 2024

Unable to configure newly generated SSL certificates on a 3 node opensearch cluster

WARNING: revise all the lines below before you go into production

Related topics