Having issues following the installation

This post was flagged by the community and is temporarily hidden.

This post was flagged by the community and is temporarily hidden.

This post was flagged by the community and is temporarily hidden.

Hi @raineng, I think the issue here is that you removed network.host from docker-compose.yml. Try the following:

opendistro_security.ssl.transport.pemcert_filepath: node.pem
opendistro_security.ssl.transport.pemkey_filepath: node-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: node.pem
opendistro_security.ssl.http.pemkey_filepath: node-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
  - CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA
opendistro_security.nodes_dn:
  - 'CN=N,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
version: '3'
services:
 odfe-node1:
   image: amazon/opendistro-for-elasticsearch:1.0.1
   container_name: odfe-node1
   environment:
     - cluster.name=odfe-cluster
     - node.name=odfe-node1
     - discovery.type=single-node
     - bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
     - "ES_JAVA_OPTS=-Xms512m -Xmx512m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
     - network.host=0.0.0.0
   ulimits:
     memlock:
       soft: -1
       hard: -1
     nofile:
       soft: 65536 # maximum number of open files for the Elasticsearch user, set to at least 65536 on modern systems
       hard: 65536
   volumes:
     - odfe-data1:/usr/share/elasticsearch/data
     - ./root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
     - ./node.pem:/usr/share/elasticsearch/config/node.pem
     - ./node-key.pem:/usr/share/elasticsearch/config/node-key.pem
     - ./admin.pem:/usr/share/elasticsearch/config/admin.pem
     - ./admin-key.pem:/usr/share/elasticsearch/config/admin-key.pem
     - ./custom-elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
   ports:
     - 9200:9200
     - 9600:9600 # required for Performance Analyzer
   networks:
     - odfe-net

volumes:
 odfe-data1:

networks:
 odfe-net:

kirk.pem refers to the admin certificate, which you need in order to run securityadmin.sh. The node certificates encrypt traffic between nodes, so they’re not super important in this case, but this configuration adds them anyway.

@aetter Thank you very much for you help. I think I’m getting some where now. Now it runs fine, the only error I get is when I try to access it from https, I get something like this
SSLHandshakeException: Received fatal alert: certificate_unknown

I also created all certs again just to be sure. :frowning:

Sure, I’ve encountered that error before, and I want to say that it was a mismatch between the DN string in elasticsearch.yml and the one in the certificate itself (https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/generate-certificates/#get-distinguished-names).

Other things to check are that file names/paths are a match, ensuring that your certificate is Java-compatible (https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/generate-certificates/#generate-admin-certificate), whitespace within a field, and unescaped commas (https://opendistro.github.io/for-elasticsearch-docs/docs/troubleshoot/tls/#check-for-special-characters-and-whitespace-in-dns).

@aetter Thank you so much. I found out why. I should have set the Common Name as the domain that I’m trying to use to connect to the site. I feel so stupid. Again, thank you so much for your help, I wouldn’t have made it without you.

Hi @raineng, that’s fantastic news. Don’t feel stupid. Most things in this world that are super flexible and configurable and offer lots of functionality are, well, really hard to get started with. The Security plugin is no different. Even if we agree that the design is good, I think we can all agree that nothing about certificates, DNs, and YAML files is immediately intuitive. :slight_smile: I’m just glad you’re up and running!