Where and what certs from the cluster are needed for dashboard node

GuyS · July 8, 2025, 4:55pm

I think this has something to do with the cert files from the opensearch cluster nodes but I cant figer out what should be defined in the yml file for reference those certs.

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
3.0.0

Describe the issue:
ConnectionError socket hang up

Configuration:
Current ssl

# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.

# These settings enable SSL for outgoing requests from the OpenSearch Dashboards server to the browser.

server.ssl.enabled: true

server.ssl.certificate: /etc/opensearch-dashboards/cert2.pem

server.ssl.key: /etc/opensearch-dashboards/privkey2.pem

# Optional settings that provide the paths to the PEM-format SSL certificate and key files.

# These files are used to verify the identity of OpenSearch Dashboards to OpenSearch and are required when

# xpack.security.http.ssl.client_authentication in OpenSearch is set to required.

opensearch.ssl.certificate: /etc/opensearch-dashboards/root-ca.pem

opensearch.ssl.key: /etc/opensearch-dashboards/root-ca-key.pem

# Optional setting that enables you to specify a path to the PEM file for the certificate

# authority for your OpenSearch instance.

# opensearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]

Relevant Logs or Screenshots:

ul 08 12:48:18 rittenhouse authbind[1870893]: {"type":"log","@timestamp":"2025-07-08T16:48:18Z","tags":["error","opensearch","data"],"pid":1870893,"message":"[ConnectionError]: socket hang up"}

Anthony · July 8, 2025, 5:38pm

@GuyS There are 3 reasons the certificate might be used in this configuration:

To enable https when using OSD, see following code block:

server.ssl.enabled: true
server.ssl.certificate: /etc/opensearch-dashboards/cert2.pem
server.ssl.key: /etc/opensearch-dashboards/privkey2.pem

You can set this to false while testing and use http:// and later enable it when everything else is working.

To verify the certificates being received from OpenSearch, you can disable the verification and get up and running using below:

opensearch.ssl.verificationMode: none

If the above is set to full or certificate you need to specify a path to trusted chain, this might need to include a root CA and an intermediate CA if you used the intermediate CA to issue your admin, client, and node certificates. If only CA certificate was used to sign these certificates you would just need to include the CA certificate itself, see following config:

opensearch.ssl.verificationMode: certificate
opensearch.ssl.certificateAuthorities: path/to/CA-certificate

To communication with opensearch using certificates. Only needed if you manually set the below to true, this is false by default.

opensearch.ssl.alwaysPresentCertificate: true
opensearch.ssl.certificate: /path/to/client-certificate # not root-ca.pem
opensearch.ssl.key: /path/to/client-key # not root-ca-key.pem

Further details regarding these settings are available here

Topic		Replies	Views
Issue with OpenSearch dashboard with ssl certificate Security troubleshoot	9	5170	August 23, 2023
Opensearch Dashboards - Getting connection error with opensearch message":"[ConnectionError]: socket hang up"} after enabling SSL Security	8	1435	June 21, 2024
[ConnectionError]: unable to verify the first certificate Security	11	4071	July 21, 2023
SSL integration for OpenSearch dashboard Security troubleshoot	1	1558	March 21, 2022
Cannot load Opensearch Dashboards after adding certificates Security troubleshoot , configure , security-issue	3	441	March 25, 2024

Where and what certs from the cluster are needed for dashboard node

Related topics