[BUG] 'Failed to resolve if it's a readonly tenant' when dashboards URL is not in Opensearch node SANs

[ksyblast]

Describe the bug

Hello Team!
I have noticed some errors in the logs, seems they do not have any impact on the users however I have decided to report this.

In my case:
Opensearch Dashboards URL is: opensearch.example.com
Opensearch node hostname and SANs are: node.example.com, node1.example.com

Opensearch log:
Authentication finally failed for null from <dashboards ip>
Dashboards log:

{"type":"log","@timestamp":"2025-01-06T13:36:36Z","tags":["error","opensearch","opendistro_security"],"pid":1,"message":"Request error, retrying\nGET https://node.example.com:9200/_plugins/_security/dashboardsinfo => Hostname/IP does not match certificate's altnames: Host: opensearch.example.com. is not in the cert's altnames: DNS:node.example.com, DNS:node1.example.com"}
{"type":"log","@timestamp":"2025-01-06T13:36:36Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"Failed to resolve if it's a readonly tenant: Error: Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: opensearch.example.com. is not in the cert's altnames: DNS:node.example.com, DNS:node1.example.com\n    at SecurityClient.dashboardsinfo (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/backend/opensearch_security_client.ts:130:13)\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at ReadonlyService.isReadonly (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/readonly/readonly_service.ts:101:30)\n    at ReadonlyService.hideForReadonly (/usr/share/opensearch-dashboards/src/core/server/security/readonly_service.js:18:13)\n    at /usr/share/opensearch-dashboards/src/plugins/data/server/index_patterns/index_patterns_service.js:49:14\n    at /usr/share/opensearch-dashboards/src/core/server/capabilities/resolve_capabilities.js:52:21\n 

To Reproduce
Steps to reproduce the behavior:

1. Multitenancy should be enabled
2. Opensearch node certificate SANs should differ from Dashboards URL
3. Log in to Dashboards (checked with internal user)
4. See error

{"type":"log","@timestamp":"2025-01-06T13:36:36Z","tags":["error","opensearch","opendistro_security"],"pid":1,"message":"Request error, retrying\nGET https://node.example.com:9200/_plugins/_security/dashboardsinfo => Hostname/IP does not match certificate's altnames: Host: opensearch.example.com. is not in the cert's altnames: DNS:node.example.com, DNS:node1.example.com"}

Expected behavior
I don't think Opensearch node SANs has something to do with Kibana URL, such requests should not cause errors.
Please note that the request in the logs contains the hostname which does exist in the SANs however it complains about Dashboards hostname opensearch.example.com:
GET https://node.example.com:9200/_plugins/_security/dashboardsinfo

OpenSearch Version
2.18.0

Dashboards Version
2.18.0

[cwperks]

[Triage] Thank you for filing this issue @ksyblast. Can you provide an example of the opensearch_dashboards.yml config file to reproduce this error?

[ksyblast]

Hello! Sure, here it is:

opensearch.hosts:
- https://node.example.com:9200 
- https://node1.example.com:9200

opensearch.ssl.verificationMode: full
opensearch.ssl.certificateAuthorities: ["/usr/share/opensearch-dashboards/config/root-ca.pem"]
opensearch.username: user
opensearch.password: pass
opensearch.requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]

server.host: '0.0.0.0'
server.name: opensearch.example.com
server.ssl.enabled: true
server.ssl.certificate: ./config/server.crt
server.ssl.key: ./config/server.key

server.xsrf.whitelist: ["/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]