[BUG][Security Plugin configuration | Initialize the opensearch security index in opensearch with custom configs]

[wyfaq]

Describe the bug REST-layer traffic not use tls,but run securityadmin.sh failed. According to the official documentation (https://opensearch.org/docs/latest/security/configuration/tls/), the REST layer does not need to enable TLS, but an error will be reported when executing securityadmin.sh.

To Reproduce Steps to reproduce the behavior:

1. turn off https for rest ,The configuration is as follows: plugins.security.ssl.http.enabled: false
2. restart opensearch
3. run securityadmin.sh ,command is as follows: bash /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -diagnose -cacert /usr/share/opensearch/config/root-ca.pem -cert /usr/share/opensearch/config/admin.pem -key /usr/share/opensearch/config/admin.key -f /usr/share/opensearch/config/opensearch-security/internal_users.yml -nhnv -icl -h 10.200.200.21
4. the errors message : Security Admin v7 Will connect to 10.200.200.21:9200 ... done ERR: An unexpected IOException occured: Unrecognized SSL message, plaintext connection? Trace: java.io.IOException: Unrecognized SSL message, plaintext connection? at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:959) at org.opensearch.client.RestClient.performRequest(RestClient.java:333) at org.opensearch.client.RestClient.performRequest(RestClient.java:321) at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:573) at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:163) Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:145) at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64) at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:612) at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506) at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482) at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679) at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:279) at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:333) at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:545) at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120) at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591) at java.base/java.lang.Thread.run(Thread.java:833)

Screenshots

Host/Environment (please complete the following information):

• Ansible Version: [ 2.15.6]
• Playbook Version: [2.10.0]

solution if not use tls for rest layer, How to do?

[wyfaq]

closed