Describe the bug
REST-layer traffic not use tls,but run securityadmin.sh failed.
According to the official documentation (https://opensearch.org/docs/latest/security/configuration/tls/), the REST layer does not need to enable TLS, but an error will be reported when executing securityadmin.sh.
To Reproduce
Steps to reproduce the behavior:
turn off https for rest ,The configuration is as follows:
plugins.security.ssl.http.enabled: false
restart opensearch
run securityadmin.sh ,command is as follows:
bash /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -diagnose -cacert /usr/share/opensearch/config/root-ca.pem -cert /usr/share/opensearch/config/admin.pem -key /usr/share/opensearch/config/admin.key -f /usr/share/opensearch/config/opensearch-security/internal_users.yml -nhnv -icl -h 10.200.200.21
the errors message :
Security Admin v7
Will connect to 10.200.200.21:9200 ... done
ERR: An unexpected IOException occured: Unrecognized SSL message, plaintext connection?
Trace:
java.io.IOException: Unrecognized SSL message, plaintext connection?
at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:959)
at org.opensearch.client.RestClient.performRequest(RestClient.java:333)
at org.opensearch.client.RestClient.performRequest(RestClient.java:321)
at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:573)
at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:163)
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:145)
at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64)
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:612)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:279)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:333)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:545)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)
at java.base/java.lang.Thread.run(Thread.java:833)
Screenshots
Host/Environment (please complete the following information):
Ansible Version: [ 2.15.6]
Playbook Version: [2.10.0]
solution
if not use tls for rest layer, How to do?
Describe the bug REST-layer traffic not use tls,but run securityadmin.sh failed. According to the official documentation (https://opensearch.org/docs/latest/security/configuration/tls/), the REST layer does not need to enable TLS, but an error will be reported when executing securityadmin.sh.
To Reproduce Steps to reproduce the behavior:
Screenshots
Host/Environment (please complete the following information):
solution if not use tls for rest layer, How to do?