Can't access security plugin REST API using custom certificates

Hello,

I have set up my cluster using the Helm build and been able to use the security plugin REST API while working with the demo certificates using the admin user.

I followed this documentation to create my self-signed certificates : Generate Certificates - Open Distro for Elasticsearch Documentation

But after setting my self-signed certificates, I can’t access the security API anymore (other APIs like _cat still work fine). For example this query :

curl -XGET https://localhost:9200/_opendistro/_security/api/internalusers/ -u 'admin:admin' --insecure

will give me this error:

{"status":"FORBIDDEN","message":"No permission to access REST API: User admin with Open Distro Security Roles [all_access, own_index] does not have any role privileged for admin access. **No client TLS certificate found in request**"}

Here is my elasticsearch.yml :

#cluster.name: "docker-cluster"
#network.host: 0.0.0.0
opendistro_security.allow_unsafe_democertificates: false
opendistro_security.allow_default_init_securityindex: true
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
cluster.routing.allocation.disk.threshold_enabled: false
opendistro_security.audit.config.disabled_rest_categories: NONE
opendistro_security.audit.config.disabled_transport_categories: NONE
opendistro_security.nodes_dn:
  - 'CN=TRANSPORT,O=Test,L=Paris,ST=Some-State,C=FR'
opendistro_security.authcz.admin_dn:
  - 'CN=ADMIN,O=Test,L=Paris,ST=Some-State,C=FR'

opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
opendistro_security.system_indices.enabled: true
opendistro_security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*"]



# TLS Configuration Transport Layer
opendistro_security.ssl.transport.pemcert_filepath: elk-transport-crt.pem
opendistro_security.ssl.transport.pemkey_filepath: elk-transport-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: elk-transport-root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false

# TLS Configuration REST Layer
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: elk-rest-crt.pem
opendistro_security.ssl.http.pemkey_filepath: elk-rest-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: elk-rest-root-ca.pem

Any idea what I’m missing here?

Ok I just figured it out, this was a typo issue. Changing the “ to " fixed it…

1 Like