Authentication finally failed

[bn1980]

I am having issues deploying wazuh-docker 4.7.4

I am running wazuh.dashboard on port 1443

But I am getting these errors.

wazuh.indexer_1    | [2024-05-11T01:01:28,262][WARN ][o.o.s.a.BackendRegistry  ] [wazuh.indexer] Authentication finally failed for kibanaserver from 172.30.0.4:57398
wazuh.dashboard_1  | {"type":"log","@timestamp":"2024-05-11T01:01:28Z","tags":["error","opensearch","data"],"pid":54,"message":"[ResponseError]: Response Error"}

Full log is here
https://logpaste.com/JCqAWAys

[davidcr01]

Hello. This error is expected when the Wazuh manager IndexerConnector module is not accessible to the Wazuh indexer. A few questions here:

• How did you change the port of the Wazuh dashboard? Did you modify the docker-compose.yml correctly?
• Can you access the Wazuh UI?
• Did the errors stop generating long after?

Personally, I deployed the Wazuh docker deployment changing the Wazuh dashboard port and I did not have any problems. Please, make sure you are changing the Wazuh dashboard port correctly in the docker-compose.yml file.

[bn1980]

Thanks for the reply @davidcr01

I simply changed the port in docker-compose.yml and that is all.

I cannot access the Wazuh UI at all.
The errors keep generating until I shut the docket compose down.

[bn1980]

But even with the port set to 443 I am receiving the same error.

[davidcr01]

Hello. Did you follow the official documentation of the Docker deployment?

Please, could you share the content of:

• The /etc/wazuh-indexer/opensearch.yml of the Wazuh indexer container. You can access to it with the docker exec -it single-node-wazuh.indexer-1 bash if your deployment is single-node.
• The /etc/wazuh-dashboard/opensearch-dashboards.yml of the Wazuh dashboard container. You can access to it with the docker exec -it single-node-wazuh.dashboard-1 bash if your deployment is single-node.
• The last logs of the Wazuh indexer container. You can get this with the docker logs single-node-wazuh.indexer-1.

Also, you can use the container IDs of your deployments instead of the names. You can get the container IDs with the docker ps -a command.

[bn1980]

FYI my opensearch.yml is in /usr/share/wazuh-indexer.

wazuh-indexer@wazuh:~$ pwd
**/usr/share/wazuh-indexer**

wazuh-indexer@wazuh:~$ cat opensearch.yml
network.host: "0.0.0.0"
node.name: "wazuh.indexer"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
discovery.type: single-node
http.port: 9200-9299
transport.tcp.port: 9300-9399
compatibility.override_main_response_version: true
plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
plugins.security.allow_default_init_securityindex: true
cluster.routing.allocation.disk.threshold_enabled: false
wazuh-indexer@wazuh:~$

and opensearch_dashboards was in /usr/share/wazuh-dashboards/config/

wazuh-dashboard@wazuh:~/config$ pwd
**/usr/share/wazuh-dashboard/config**

wazuh-dashboard@wazuh:~/config$ cat opensearch_dashboards.
opensearch_dashboards.keystore  opensearch_dashboards.yml
wazuh-dashboard@wazuh:~/config$ cat opensearch_dashboards.yml
server.host: 0.0.0.0
server.port: 5601
opensearch.hosts: https://wazuh.indexer:9200
opensearch.ssl.verificationMode: certificate
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh
wazuh-dashboard@wazuh:~/config$

Here is the log from wazuh indexer container
https://logpaste.com/W5ARkp0y

Thank you for your help on this.

[davidcr01]

Hello.

• Did you change the passwords? If the answer is yes, did you insert any special characters like $ or "? Maybe the hash is incorrect and is making the trouble.
• Can you share the output of the commands in order to test the connections of the Wazuh indexer? Run the following commands in the machine where you started the Wazuh stack with Docker.

curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k
curl -XGET "https://0.0.0.0:9200/_cluster/health" -u kibanaserver:kibanaserver -k

If you previously specified another password for these users (you changed the passwords), please change the commands.