TROUBLESHOOTING Opendistro Security¶
No subject alternative names matching IP address¶
You might be in a case where the hostname resolution for each node of your ElasticSearch cluster is made with a DNS. So make sure that :
- The CN of the node's certificate refers to the hostname of the node
- Elasticsearch's configuration
opendistro_security.nodes_dncontains all the nodes DNs of the cluster
- The value of the configuration
opendistro_security.ssl.transport.enforce_hostname_verificationis correct, according to your platform
- You can ping the hosts of the cluster
Opendistro index is RED¶
In this case, cluster should not be able to start.
Try one of the following solutions !
Try to update the cluster security configuration, while ignoring
red cluster state, with :
./security-admin.sh -cd ../securityconfig \ -icl -nhnv -arc \ -cacert ../../../cacert.pem \ -cert ../../../cert.pem \ -key ../../../key.pem \
Disable Opendistro Security Plugin and restart¶
Disable the security plugin by editing elasticsearch config file elasticsearch.yml with :
Then restart Elasticsearch. Let the cluster turns green, then enable opendistro security with :
Finally, restart Elasticsearch again.
Backup and Reinstall Opendistro Security¶
First of all, make sure you possess Opendistro Security plugin's archive (zip or targz) on your hosts.
Stop Elasticsearch and Kibana, then make somewhere on the filesystem a copy of the following directories :
ES_HOME/config ES_HOME/plugins/opendistro\_security KIBANA_HOME/config KIBANA_HOME/plugins/opendistro\_security
Uninstall Opendistro Security Plugin on both Elasticsearch and Kibana :
ES_HOME/bin/elasticsearch-plugin remove opendistro\_security KIBANA_HOME/bin/kibana-plugin remove opendistro\_security
Start ElasticSearch and Kibana and let them turn green.
Stop them again.
Re-install Opendistro Security Plugin on both Elasticsearch and Kibana :
ES_HOME/bin/elasticsearch-plugin install --batch -s file://<path/to/opendistro/for/es/archive> KIBANA_HOME/bin/kibana-plugin install -q --no-optimize file://<path/to/opendistro/for/kibana/archive>
Backup config and opendistro_security directories you previously saved by copying them in the proper locations in ElasticSearch and Kibana. This action should overwrite the default configurations with your old ones.
Finally, start them again. You should retrieve all your roles, users, tenants, visualisations and dashboards.