Why can't I create a cluster?

qpmuvbr · June 12, 2025, 6:00pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 3.0.0
OpenSearch Dashboard 3.0.0
Debian 12 stable
Firefox ESR 128
Installed from official Debian repo.

Describe the issue:
I am trying to create a 2 nodes cluster. But after I restart the service the cluster only find local node and the other node is not showing in the output of curl -XGET https://node1.local.arpa:9200/_cat/nodes?v -u 'admin:password' --insecure(also on node2.local.arpa)

Node1:

# curl -XGET https://127.0.0.1:9200/_cat/nodes?v -u 'admin:password' --insecure
ip       heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
192.168.100.9            3          69   2    0.00    0.01     0.09 dimr      cluster_manager,data,ingest,remote_cluster_client *               node1

Node2:

# curl -XGET https://127.0.0.1:9200/_cat/nodes?v -u 'admin:password' --insecure
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
192.168.100.10            3          71   1    0.00    0.00     0.00 dimr      cluster_manager,data,ingest,remote_cluster_client *               node2

I can’t create the cluster, one node is not joining the other. Please help me!

My diagram was described here, just don’t have the VM3 and I haven’t configure the shared FS yet.

Both nodes have Dashboard installed.

Configuration:
Node1 /etc/opensearch/opensearch.yml:

cluster.name: logcluster
node.name: node1
node.roles: [ cluster_manager, data, ingest, remote_cluster_client ]
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
bootstrap.system_call_filter: false
network.host: [_local_, 192.168.100.9]
http.port: 9200
discovery.seed_hosts: ["192.168.100.9", "192.168.100.10"]
cluster.initial_cluster_manager_nodes: ["node1.local.arpa", "node2.local.arpa"]
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn: ['C=US,ST=TEST,L=A,O=TEST,OU=TEST,CN=*.local.arpa']
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
  .plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,
  .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,
  .plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,
  .opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,
  .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,
  .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,
  .opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
  .geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
  .plugins-flow-framework-state]
node.max_local_storage_nodes: 3

Node2 /etc/opensearch/opensearch.yml:

cluster.name: logcluster
node.name: node2
node.roles: [ cluster_manager, data, ingest, remote_cluster_client ]
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
bootstrap.system_call_filter: false
network.host: [_local_, 192.168.100.10]
http.port: 9200
discovery.seed_hosts: ["192.168.100.9", "192.168.100.10"]
cluster.initial_cluster_manager_nodes: ["node1.local.arpa", "node2.local.arpa"]
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn: ['C=US,ST=TEST,L=A,O=TEST,OU=TEST,CN=*.local.arpa']
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
  .plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,
  .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,
  .plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,
  .opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,
  .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,
  .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,
  .opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
  .geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
  .plugins-flow-framework-state]
node.max_local_storage_nodes: 3

Relevant Logs or Screenshots:
Node1 /var/log/opensearch/logcluster.log:

Node2 /var/log/opensearch/logcluster.log:

qpmuvbr · June 12, 2025, 6:01pm

My diagram without shared file system or VM3. I only have 2 nodes right now.

qpmuvbr · June 12, 2025, 7:07pm

I forgot to mention that I am using my selfsigned CA and ssl keypair, I just copied those files to /etc/opensearch and changed their name to the same with original demo certification name.
I find these in my log:

[2025-06-12T13:29:48,103][INFO ][o.o.t.TransportService   ] [node1] publish_address {192.168.100.9:9300}, bound_addresses {[::1]:9300}, {127.0.0.1:9300}, {192.168.100.9:9300}
[2025-06-12T13:29:48,106][INFO ][o.o.t.TransportService   ] [node1] Remote clusters initialized successfully.
[2025-06-12T13:29:49,705][INFO ][o.o.b.BootstrapChecks    ] [node1] bound or publishing to a non-loopback address, enforcing bootstrap checks
[2025-06-12T13:29:49,724][INFO ][o.o.c.c.Coordinator      ] [node1] cluster UUID [CgVl5LKQQnO4jQSlFu2uaQ]
[2025-06-12T13:29:50,253][WARN ][o.o.d.HandshakingTransportAddressConnector] [node1] handshake failed for [connectToRemoteMasterNode[192.168.100.10:9300]]
org.opensearch.transport.RemoteTransportException: [node2][192.168.100.10:9300][internal:transport/handshake]
Caused by: org.opensearch.OpenSearchException: java.security.cert.CertificateParsingException: URI name must include scheme:*.local.arpa
	at org.opensearch.security.transport.DefaultInterClusterRequestEvaluator.isInterClusterRequest(DefaultInterClusterRequestEvaluator.java:174) ~[?:?]
	at org.opensearch.security.transport.SecurityRequestHandler.addAdditionalContextValues(SecurityRequestHandler.java:358) ~[?:?]
	at org.opensearch.security.ssl.transport.SecuritySSLRequestHandler.messageReceived(SecuritySSLRequestHandler.java:140) ~[?:?]
	at org.opensearch.security.OpenSearchSecurityPlugin$6$1.messageReceived(OpenSearchSecurityPlugin.java:869) ~[?:?]
	at org.opensearch.indexmanagement.rollup.interceptor.RollupInterceptor$interceptHandler$1.messageReceived(RollupInterceptor.kt:120) ~[?:?]
	at org.opensearch.performanceanalyzer.transport.PerformanceAnalyzerTransportRequestHandler.messageReceived(PerformanceAnalyzerTransportRequestHandler.java:44) ~[?:?]
	at org.opensearch.performanceanalyzer.transport.RTFPerformanceAnalyzerTransportRequestHandler.messageReceived(RTFPerformanceAnalyzerTransportRequestHandler.java:63) ~[?:?]
	at org.opensearch.wlm.WorkloadManagementTransportInterceptor$RequestHandler.messageReceived(WorkloadManagementTransportInterceptor.java:63) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:108) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.NativeMessageHandler.handleRequest(NativeMessageHandler.java:278) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.NativeMessageHandler.handleMessage(NativeMessageHandler.java:146) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.NativeMessageHandler.messageReceived(NativeMessageHandler.java:126) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.InboundHandler.messageReceivedFromPipeline(InboundHandler.java:120) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.InboundHandler.inboundMessage(InboundHandler.java:112) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.TcpTransport.inboundMessage(TcpTransport.java:768) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.InboundBytesHandler.forwardFragments(InboundBytesHandler.java:137) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.InboundBytesHandler.doHandleBytes(InboundBytesHandler.java:77) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.InboundPipeline.doHandleBytes(InboundPipeline.java:124) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.InboundPipeline.handleBytes(InboundPipeline.java:113) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:95) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
	at io.netty.handler.logging.LoggingHandler.channelRead(LoggingHandler.java:280) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1515) ~[?:?]
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1378) ~[?:?]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1427) ~[?:?]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[?:?]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[?:?]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868) ~[?:?]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:697) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:660) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[?:?]
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998) ~[?:?]
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[?:?]
	at java.lang.Thread.run(Thread.java:1583) [?:?]
Caused by: org.opensearch.core.common.io.stream.NotSerializableExceptionWrapper: certificate_parsing_exception: URI name must include scheme:*.local.arpa
	at sun.security.x509.X509CertImpl.getExtensionIfParseable(X509CertImpl.java:1154) ~[?:?]
	at sun.security.x509.X509CertImpl.getSubjectAlternativeNames(X509CertImpl.java:1316) ~[?:?]
	at org.opensearch.security.transport.DefaultInterClusterRequestEvaluator.isInterClusterRequest(DefaultInterClusterRequestEvaluator.java:123) ~[?:?]
	at org.opensearch.security.transport.SecurityRequestHandler.addAdditionalContextValues(SecurityRequestHandler.java:358) ~[?:?]
	at org.opensearch.security.ssl.transport.SecuritySSLRequestHandler.messageReceived(SecuritySSLRequestHandler.java:140) ~[?:?]
	at org.opensearch.security.OpenSearchSecurityPlugin$6$1.messageReceived(OpenSearchSecurityPlugin.java:869) ~[?:?]
	at org.opensearch.indexmanagement.rollup.interceptor.RollupInterceptor$interceptHandler$1.messageReceived(RollupInterceptor.kt:120) ~[?:?]
	at org.opensearch.performanceanalyzer.transport.PerformanceAnalyzerTransportRequestHandler.messageReceived(PerformanceAnalyzerTransportRequestHandler.java:44) ~[?:?]
	at org.opensearch.performanceanalyzer.transport.RTFPerformanceAnalyzerTransportRequestHandler.messageReceived(RTFPerformanceAnalyzerTransportRequestHandler.java:63) ~[?:?]
	at org.opensearch.wlm.WorkloadManagementTransportInterceptor$RequestHandler.messageReceived(WorkloadManagementTransportInterceptor.java:63) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:108) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.NativeMessageHandler.handleRequest(NativeMessageHandler.java:278) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.NativeMessageHandler.handleMessage(NativeMessageHandler.java:146) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.NativeMessageHandler.messageReceived(NativeMessageHandler.java:126) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.InboundHandler.messageReceivedFromPipeline(InboundHandler.java:120) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.InboundHandler.inboundMessage(InboundHandler.java:112) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.TcpTransport.inboundMessage(TcpTransport.java:768) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.InboundBytesHandler.forwardFragments(InboundBytesHandler.java:137) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.InboundBytesHandler.doHandleBytes(InboundBytesHandler.java:77) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.InboundPipeline.doHandleBytes(InboundPipeline.java:124) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.InboundPipeline.handleBytes(InboundPipeline.java:113) ~[opensearch-3.0.0.jar:3.0.0]
	at org.opensearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:95) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
	at io.netty.handler.logging.LoggingHandler.channelRead(LoggingHandler.java:280) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1515) ~[?:?]
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1378) ~[?:?]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1427) ~[?:?]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[?:?]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[?:?]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) ~[?:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868) ~[?:?]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:697) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:660) ~[?:?]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[?:?]
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998) ~[?:?]
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[?:?]
	at java.lang.Thread.run(Thread.java:1583) [?:?]

Is there anyway to disable the certificate verification so it won’t force it to parse the URL with “*.local.arpa”?

Anthony · June 16, 2025, 9:50am

@qpmuvbr According to the above you have not configured nodes_dn section, therefore the nodes do not know which certificates should be treated as node certificates. See example here

KateWinslet · June 16, 2025, 7:09pm

qpmuvbr:

OpenSearch 3.0.0
OpenSearch Dashboard 3.0.0
Debian 12 stable
Firefox ESR 128
Installed from official Debian repo.

Describe the issue:
I am trying to create a 2 nodes cluster. But after I restart the service the cluster only find local node and the other node is not showing in the output of curl -XGET https://node1.local.arpa:9200/_cat/nodes?v -u 'admin:password' --insecure(also on node2.local.arpa)

Node1:

# curl -XGET https://127.0.0.1:9200/_cat/nodes?v -u 'admin:password' --insecure
ip       heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
192.168.100.9            3          69   2    0.00    0.01     0.09 dimr      cluster_manager,data,ingest,remote_cluster_client *               node1

Node2:

# curl -XGET https://127.0.0.1:9200/_cat/nodes?v -u 'admin:password' --insecure
ip        heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles                                        cluster_manager name
192.168.100.10            3          71   1    0.00    0.00     0.00 dimr      cluster_manager,data,ingest,remote_cluster_client *               node2

I can’t create the cluster, one node is not joining the other. Please help me!

My diagram was described here, just don’t have the VM3 and I haven’t configure the shared FS yet. rug cleaning

Both nodes have Dashboard installed.

Configuration:
Node1 /etc/opensearch/opensearch.yml:

cluster.name: logcluster
node.name: node1
node.roles: [ cluster_manager, data, ingest, remote_cluster_client ]
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
bootstrap.system_call_filter: false
network.host: [_local_, 192.168.100.9]
http.port: 9200
discovery.seed_hosts: ["192.168.100.9", "192.168.100.10"]
cluster.initial_cluster_manager_nodes: ["node1.local.arpa", "node2.local.arpa"]
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn: ['C=US,ST=TEST,L=A,O=TEST,OU=TEST,CN=*.local.arpa']
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
  .plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,
  .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,
  .plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,
  .opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,
  .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,
  .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,
  .opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
  .geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
  .plugins-flow-framework-state]
node.max_local_storage_nodes: 3

Node2 /etc/opensearch/opensearch.yml:

cluster.name: logcluster
node.name: node2
node.roles: [ cluster_manager, data, ingest, remote_cluster_client ]
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
bootstrap.system_call_filter: false
network.host: [_local_, 192.168.100.10]
http.port: 9200
discovery.seed_hosts: ["192.168.100.9", "192.168.100.10"]
cluster.initial_cluster_manager_nodes: ["node1.local.arpa", "node2.local.arpa"]
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn: ['C=US,ST=TEST,L=A,O=TEST,OU=TEST,CN=*.local.arpa']
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
  .plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,
  .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,
  .plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,
  .opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,
  .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,
  .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,
  .opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
  .geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
  .plugins-flow-framework-state]
node.max_local_storage_nodes: 3

Relevant Logs or Screenshots:
Node1 /var/log/opensearch/logcluster.log:
Texas Claims Adjuster
[2025-06-12T13:29:26,351][WARN ][stderr ] [node1] Jun 12, 2025 - Pastebin.com

Node2 /var/log/opensearch/logcluster.log:

[2025-06-12T13:02:44,177][WARN ][stderr ] [node2] Jun 12, 2025 - Pastebin.com

Your cluster isn’t forming because cluster.initial_cluster_manager_nodes must exactly match each node.name. In your config, node.name is node1 and node2, but you used node1.local.arpa and node2.local.arpa in cluster.initial_cluster_manager_nodes — so they won’t match. Update both configs to use [“node1”, “node2”]. Also, verify both nodes can reach each other on TCP port 9300 (transport port, not 9200), and that your SSL certificates trust each node’s hostname or IP. Restart both nodes after making these changes for the cluster to form.

qpmuvbr · June 30, 2025, 5:40pm

I tried to use full FQDN but still the same

qpmuvbr · June 30, 2025, 5:41pm

I was using Opensearch 3.0

Anthony · July 1, 2025, 9:57am

@qpmuvbr How did you create the certificates? Do you have the commands used perhaps? The issue seems to be with the generated certificate.

If you have not resolved this yet, I can try locally with the commands you provide and revert back.

qpmuvbr · July 1, 2025, 9:51pm

Why is there should be nodes_dn? I don’t see docs mention it.

qpmuvbr · July 1, 2025, 9:51pm

I used OPNsense’s GUI created them. I don’t think cert is the problem. It must be either my Opensearch configuration or the bug of Opensearch itself.
I shouldn’t need to verify host name. A certificate with wildcard should be enough.

Anthony · July 1, 2025, 10:59pm

@qpmuvbr nodes_dn are mentioned here. It’s a way for a node to know that the communication received with a given certificate is indeed internode communication.

Topic		Replies	Views
SSL Error unable to configure Opensearch Cluster in 6 VMs Security troubleshoot , configure	14	1620	March 8, 2023
Certificate_unknown error and combine two hosts into cluster Security	7	99	November 7, 2024
SSL doesn't work OpenSearch	27	302	July 10, 2025
Opensearch-2.3.0 multinode SSL setup issue Security troubleshoot , configure , install	13	942	December 10, 2022
Adding new node to existing one node cluster OpenSearch	9	29	July 16, 2025

Why can't I create a cluster?

Related topics