Common issues

This page contains a list of common issues and workarounds.

Expired certificates

If your certificates have expired, you might receive the following error or something similar:

ERROR org.opensearch.security.ssl.transport.SecuritySSLNettyTransport - Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Sep 16 11:27:55 PDT 2021

To check the expiration date for a certificate, run this command:

openssl x509 -enddate -noout -in <certificate>

Encryption at rest

The operating system for each Lucenia node handles encryption of data at rest. To enable encryption at rest in most Linux distributions, use the cryptsetup command:

cryptsetup luksFormat --key-file <key> <partition>

For full documentation about the command, see cryptsetup(8) — Linux manual page.

Can't update by script when FLS, DLS, or field masking is active

The Security plugin blocks the update by script operation (POST <index>/_update/<id>) when field-level security, document-level security, or field masking are active. You can still update documents using the standard index operation (PUT <index>/_doc/<id>).

Illegal reflective access operation in logs

This is a known issue with Performance Analyzer that shouldn't affect functionality.