Wazuh-indexer fails to assemble the cluster with "Transport client authentication no longer supported" (v 4.7.2)

[zentavr]

I'm trying to install wazuh with this YAMLs into my Kubernetes and have an error Transport client authentication no longer supported from wazuh-indexer component.

Logs from the slave node:

[2024-02-28T21:24:36,802][ERROR][o.o.s.a.BackendRegistry  ] [wazuh-indexer-2] Not yet initialized (you may need to run securityadmin)
[2024-02-28T21:24:36,805][ERROR][o.o.s.a.BackendRegistry  ] [wazuh-indexer-2] Not yet initialized (you may need to run securityadmin)
[2024-02-28T21:24:36,807][ERROR][o.o.s.a.BackendRegistry  ] [wazuh-indexer-2] Not yet initialized (you may need to run securityadmin)
[2024-02-28T21:24:36,809][ERROR][o.o.s.a.BackendRegistry  ] [wazuh-indexer-2] Not yet initialized (you may need to run securityadmin)
[2024-02-28T21:24:36,873][INFO ][o.o.s.c.ConfigurationRepository] [wazuh-indexer-2] Wait for cluster to be available ...
[2024-02-28T21:24:37,720][WARN ][o.o.d.HandshakingTransportAddressConnector] [wazuh-indexer-2] handshake failed for [connectToRemoteMasterNode[172.20.7.13:9300]]
org.opensearch.transport.RemoteTransportException: [wazuh-indexer-0][172.20.7.13:9300][internal:transport/handshake]
Caused by: org.opensearch.OpenSearchException: Transport client authentication no longer supported.
 at org.opensearch.security.ssl.util.ExceptionUtils.createTransportClientNoLongerSupportedException(ExceptionUtils.java:63) ~[?:?]
 at org.opensearch.security.transport.SecurityRequestHandler.messageReceivedDecorate(SecurityRequestHandler.java:267) ~[?:?]
 at org.opensearch.security.ssl.transport.SecuritySSLRequestHandler.messageReceived(SecuritySSLRequestHandler.java:152) ~[?:?]
 at org.opensearch.security.OpenSearchSecurityPlugin$7$1.messageReceived(OpenSearchSecurityPlugin.java:673) ~[?:?]
 at org.opensearch.indexmanagement.rollup.interceptor.RollupInterceptor$interceptHandler$1.messageReceived(RollupInterceptor.kt:113) ~[?:?]
 at org.opensearch.performanceanalyzer.transport.PerformanceAnalyzerTransportRequestHandler.messageReceived(PerformanceAnalyzerTransportRequestHandler.java:43) ~[?:?]
 at org.opensearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:106) ~[opensearch-2.8.0.jar:2.8.0]
 at org.opensearch.transport.InboundHandler.handleRequest(InboundHandler.java:249) ~[opensearch-2.8.0.jar:2.8.0]
 at org.opensearch.transport.InboundHandler.messageReceived(InboundHandler.java:132) ~[opensearch-2.8.0.jar:2.8.0]
 at org.opensearch.transport.InboundHandler.inboundMessage(InboundHandler.java:114) ~[opensearch-2.8.0.jar:2.8.0]
 at org.opensearch.transport.TcpTransport.inboundMessage(TcpTransport.java:769) ~[opensearch-2.8.0.jar:2.8.0]
 at org.opensearch.transport.InboundPipeline.forwardFragments(InboundPipeline.java:175) ~[opensearch-2.8.0.jar:2.8.0]
 at org.opensearch.transport.InboundPipeline.doHandleBytes(InboundPipeline.java:150) ~[opensearch-2.8.0.jar:2.8.0]
 at org.opensearch.transport.InboundPipeline.handleBytes(InboundPipeline.java:115) ~[opensearch-2.8.0.jar:2.8.0]
 at org.opensearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:94) ~[?:?]
 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442) ~[?:?]
 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
 at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
 at io.netty.handler.logging.LoggingHandler.channelRead(LoggingHandler.java:280) ~[?:?]
 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442) ~[?:?]
 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
 at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
 at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) ~[?:?]
 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[?:?]
 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
 at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
 at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1383) ~[?:?]
 at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1246) ~[?:?]
 at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1295) ~[?:?]
 at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529) ~[?:?]
 at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468) ~[?:?]
 at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[?:?]
 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[?:?]
 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
 at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[?:?]
 at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[?:?]
 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) ~[?:?]
 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[?:?]
 at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[?:?]
 at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) ~[?:?]
 at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) ~[?:?]
 at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:689) ~[?:?]
 at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:652) ~[?:?]
 at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[?:?]
 at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) ~[?:?]
 at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[?:?]
 at java.lang.Thread.run(Thread.java:833) [?:?]
[2024-02-28T21:24:37,873][INFO ][o.o.s.c.ConfigurationRepository] [wazuh-indexer-2] Wait for cluster to be available ...

Logs from the master node:

[2024-02-28T21:20:59,751][ERROR][o.o.s.t.SecurityRequestHandler] [wazuh-indexer-0] OpenSearchException[Transport client authentication no longer supported.]
[2024-02-28T21:20:59,756][ERROR][o.o.s.t.SecurityRequestHandler] [wazuh-indexer-0] OpenSearchException[Transport client authentication no longer supported.]
[2024-02-28T21:20:59,785][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [wazuh-indexer-0] Detected cluster change event for destination migration
[2024-02-28T21:21:00,601][ERROR][o.o.s.t.SecurityRequestHandler] [wazuh-indexer-0] OpenSearchException[Transport client authentication no longer supported.]
[2024-02-28T21:21:00,702][ERROR][o.o.s.t.SecurityRequestHandler] [wazuh-indexer-0] OpenSearchException[Transport client authentication no longer supported.]
[2024-02-28T21:21:01,599][ERROR][o.o.s.t.SecurityRequestHandler] [wazuh-indexer-0] OpenSearchException[Transport client authentication no longer supported.]
[2024-02-28T21:21:01,692][ERROR][o.o.s.t.SecurityRequestHandler] [wazuh-indexer-0] OpenSearchException[Transport client authentication no longer supported.]
[2024-02-28T21:21:02,671][ERROR][o.o.s.t.SecurityRequestHandler] [wazuh-indexer-0] OpenSearchException[Transport client authentication no longer supported.]
[2024-02-28T21:21:02,751][ERROR][o.o.s.t.SecurityRequestHandler] [wazuh-indexer-0] OpenSearchException[Transport client authentication no longer supported.]
[2024-02-28T21:21:03,621][ERROR][o.o.s.t.SecurityRequestHandler] [wazuh-indexer-0] OpenSearchException[Transport client authentication no longer supported.]
[2024-02-28T21:21:03,701][ERROR][o.o.s.t.SecurityRequestHandler] [wazuh-indexer-0] OpenSearchException[Transport client authentication no longer supported.]
[2024-02-28T21:21:04,598][ERROR][o.o.s.t.SecurityRequestHandler] [wazuh-indexer-0] OpenSearchException[Transport client authentication no longer supported.]
[2024-02-28T21:21:04,708][ERROR][o.o.s.t.SecurityRequestHandler] [wazuh-indexer-0] OpenSearchException[Transport client authentication no longer supported.]
[2024-02-28T21:21:05,605][ERROR][o.o.s.t.SecurityRequestHandler] [wazuh-indexer-0] OpenSearchException[Transport client authentication no longer supported.]
[2024-02-28T21:21:05,693][ERROR][o.o.s.t.SecurityRequestHandler] [wazuh-indexer-0] OpenSearchException[Transport client authentication no longer supported.]

[zentavr]

Seems like I'd found the issue: the DN in the certificates was in the reverse order:

(.venv) zentavr-m2:.self-signed zentavr$ openssl x509 -subject -nameopt RFC2253 -noout -in node.pem 
subject=CN=*.wazuh-indexer,O=Company,L=California,C=US
(.venv) zentavr-m2:.self-signed zentavr$ openssl x509 -subject -nameopt RFC2253 -noout -in ../node.pem 
subject=C=US,L=California,O=TI,CN=*.wazuh-indexer
(.venv) zentavr-m2:.self-signed zentavr$ openssl x509 -subject -nameopt RFC2253 -noout -in admin.pem 
subject=CN=admin,O=Company,L=California,C=US
(.venv) zentavr-m2:.self-signed zentavr$ openssl x509 -subject -nameopt RFC2253 -noout -in ../admin.pem 

So my opensearch.yml looks like:

plugins.security.authcz.admin_dn:
  # openssl x509 -subject -nameopt RFC2253 -noout -in node.pem
  - 'CN=admin,O=TI,L=California,C=US'
  - 'C=US,L=California,O=TI,CN=admin'
plugins.security.nodes_dn:
  # openssl x509 -subject -nameopt RFC2253 -noout -in admin.pem
  - 'CN=*.wazuh-indexer,O=TI,L=California,C=US'
  - 'C=US,L=California,O=TI,CN=*.wazuh-indexer'

[Pwoodlock]

  - 'CN=*.wazuh-indexer,O=TI,L=California,C=US'
  - 'C=US,L=California,O=TI,CN=*.wazuh-indexer'

Thank you. I encountered the same issue!