Skip to content

TROUBLESHOOTING Opendistro Security

No subject alternative names matching IP address

You might be in a case where the hostname resolution for each node of your ElasticSearch cluster is made with a DNS. So make sure that :

  1. The CN of the node's certificate refers to the hostname of the node
  2. Elasticsearch's configuration opendistro_security.nodes_dn contains all the nodes DNs of the cluster
  3. The value of the configuration opendistro_security.ssl.transport.enforce_hostname_verification is correct, according to your platform
  4. You can ping the hosts of the cluster

Opendistro index is RED

In this case, cluster should not be able to start.

Try one of the following solutions !

Accept-red-cluster ARC

Try to update the cluster security configuration, while ignoring red cluster state, with :

./security-admin.sh -cd ../securityconfig \
    -icl -nhnv -arc \
    -cacert ../../../cacert.pem \
    -cert ../../../cert.pem \
    -key ../../../key.pem \

Disable Opendistro Security Plugin and restart

Disable the security plugin by editing elasticsearch config file elasticsearch.yml with :

opendistro_security.disabled: true

Then restart Elasticsearch. Let the cluster turns green, then enable opendistro security with :

opendistro_security.disabled: false

Finally, restart Elasticsearch again.

Backup and Reinstall Opendistro Security

Warning

First of all, make sure you possess Opendistro Security plugin's archive (zip or targz) on your hosts.

Stop Elasticsearch and Kibana, then make somewhere on the filesystem a copy of the following directories :

ES_HOME/config
ES_HOME/plugins/opendistro\_security
KIBANA_HOME/config
KIBANA_HOME/plugins/opendistro\_security

Uninstall Opendistro Security Plugin on both Elasticsearch and Kibana :

ES_HOME/bin/elasticsearch-plugin remove opendistro\_security
KIBANA_HOME/bin/kibana-plugin remove opendistro\_security

Start ElasticSearch and Kibana and let them turn green.
Stop them again.

Re-install Opendistro Security Plugin on both Elasticsearch and Kibana :

ES_HOME/bin/elasticsearch-plugin install --batch -s file://<path/to/opendistro/for/es/archive>
KIBANA_HOME/bin/kibana-plugin install -q --no-optimize file://<path/to/opendistro/for/kibana/archive>

Backup config and opendistro_security directories you previously saved by copying them in the proper locations in ElasticSearch and Kibana. This action should overwrite the default configurations with your old ones.

Finally, start them again. You should retrieve all your roles, users, tenants, visualisations and dashboards.