OpenDistro Nodes Certificate - OID

Is it must to create nodes certificate with OID in SAN Entry?
Why it is required?

I am landing into this issue.

[root@gcpxxx tools]# bash -x
++ hostname -f

  • sudo /usr/share/elasticsearch/plugins/opendistro_security/tools/ -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig -icl -key /etc/elasticsearch/host.key -cert /etc/elasticsearch/ServerCertificate.crt -cacert /etc/elasticsearch/ChainBundle2.crt -nhnv -h -dg --accept-red-cluster
    WARNING: JAVA_HOME not set, will use /bin/java
    Open Distro Security Admin v6
    Will connect to … done
    Unable to check whether cluster is sane: No user found for cluster:monitor/nodes/info
    Connected as,O=Kingkong,L=Houston,ST=Texas,C=US
    ERR: Seems you use a node certificate which is also an admin certificate
    That may have worked with older Open Distro Security versions but it indicates
    a configuration error and is therefore forbidden now.
    Diagnostic trace written to: /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin_diag_trace_2019-May-23_04-35-08.txt
    Contacting elasticsearch cluster ‘elasticsearch’ …
    Cannot retrieve cluster state due to: No user found for cluster:monitor/health. This is not an error, will keep on trying …
    Root cause: ElasticsearchSecurityException[No user found for cluster:monitor/health] (org.elasticsearch.ElasticsearchSecurityException/org.elasticsearch.ElasticsearchSecurityException)
    • Try running with -icl (but no -cl) and -nhnv (If that works you need to check your clustername as well as hostnames in your TLS certificates)
    • Make sure that your keystore or PEM certificate is a client certificate (not a node certificate) and configured properly in elasticsearch.yml
    • If this is not working, try running with --diagnose and see diagnose trace log file)
    • Add --accept-red-cluster to allow securityadmin to operate on a red cluster.



Any help here @Opendistro Team.