OS - 2.17.1
Hello, when trying to install repository-s3 plugin after the Docker container is running, I am getting the following error
bin/opensearch-plugin install repository-s3
-> Installing repository-s3
-> Failed installing repository-s3
-> Rolling back repository-s3
-> Rolled back repository-s3
Exception in thread "main" javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1318)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1195)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1138)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:586)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:141)
at org.opensearch.plugins.InstallPluginCommand.urlExists(InstallPluginCommand.java:426)
at org.opensearch.plugins.InstallPluginCommand.getOpenSearchUrl(InstallPluginCommand.java:393)
at org.opensearch.plugins.InstallPluginCommand.download(InstallPluginCommand.java:310)
at org.opensearch.plugins.InstallPluginCommand.execute(InstallPluginCommand.java:273)
at org.opensearch.plugins.InstallPluginCommand.execute(InstallPluginCommand.java:250)
at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
at org.opensearch.cli.MultiCommand.execute(MultiCommand.java:104)
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
at org.opensearch.cli.Command.main(Command.java:101)
at org.opensearch.plugins.PluginCli.main(PluginCli.java:60)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
It looks like cert related, but I don’t see any issues with my certs. I have one node cluster and I can connect from Opensearch Dashboards to it fine.
My docker file building the image:
FROM opensearchproject/opensearch:2.17.1
COPY opensearch_certs/*.pem /usr/share/opensearch/config/
COPY opensearch.yml /usr/share/opensearch/config/
COPY securityadmin.sh /usr/share/opensearch/
USER root
RUN yum install procps -y
RUN chown opensearch:opensearch /usr/share/opensearch/config/*.pem
RUN chown opensearch:opensearch /usr/share/opensearch/config/opensearch.yml
USER opensearch
#RUN /usr/share/opensearch/bin/opensearch-keystore create
#RUN echo 'AKIA23RR3Z73NDLCK2EM' | /usr/share/opensearch/bin/opensearch-keystore add -xf s3.client.default.access_key
#RUN echo 'FQQbuJwP28Ipp3ht+/l7HeOwO1bQ7uX7LQ66M4rl' | /usr/share/opensearch/bin/opensearch-keystore add -xf s3.client.default.secret_key
#RUN /usr/share/opensearch/bin/opensearch-plugin install repository-s3
Here is my docker compose:
version: '3'
services:
opensearch-node1:
image: thryv/opensearch:latest
container_name: opensearch-node1
environment:
- cluster.name=opensearch-cluster
- node.name=opensearch-node1
- discovery.seed_hosts=opensearch-node1
- cluster.initial_master_nodes=opensearch-node1
- bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
- "OPENSEARCH_JAVA_OPTS=-Xms256m -Xmx256m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD}
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536 # maximum number of open files for the OpenSearch user, set to at least 65536 on modern systems
hard: 65536
volumes:
- opensearch-data1:/usr/share/opensearch/data
ports:
- 9200:9200
- 9600:9600 # required for Performance Analyzer
networks:
- opensearch-net
opensearch-dashboards:
image: opensearchproject/opensearch-dashboards:2.17.1
container_name: opensearch-dashboards
ports:
- 5601:5601
expose:
- "5601"
environment:
OPENSEARCH_HOSTS: '["https://opensearch-node1:9200"]' # must be a string with no spaces when specified as an environment variable
networks:
- opensearch-net
volumes:
opensearch-data1:
networks:
opensearch-net:
I have containers running, and I can also run API commands using the admin cert (see attached)
part of the opensearch.yml
plugins.security.disabled: false
plugins.security.ssl.transport.pemcert_filepath: opensearch_domains_cert.pem
plugins.security.ssl.transport.pemkey_filepath: opensearch_domains_key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: xxxxx.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: opensearch_domains_cert.pem
plugins.security.ssl.http.pemkey_filepath: opensearch_domains_key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: xxxxx.pem
plugins.security.authcz.admin_dn:
- "O=blah\\, Inc,OU=Enterprise SSL,CN=yyyyy"
plugins.security.nodes_dn:
- "O=blah\\, Inc,OU=Enterprise SSL,CN=zzzz"
plugins.security.allow_default_init_securityindex: true
plugins.security.system_indices.enabled: true
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.indices: [".opendistro_security", ".opensearch-observability"]
[opensearch@b003442a204e config]$
How can I troubleshoot this
Thanks in advance