Certificate_unknown in opensearch 3.3

latituder · October 16, 2025, 5:18pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearch 3.3

Describe the issue:
my self-signed tls cert works fine in opensearch 3.2.0
when update to opensearch 3.3, the master node cannot startup.
i checked my truststore, it contains the private ca.crt. the ca not changed, it works in v3.2, but not work in v3.3

Configuration:

plugins.security.disabled: "false"

plugins.security.ssl.transport.enforce_hostname_verification: "true"

plugins.security.ssl_cert_reload_enabled: "true"

plugins.security.ssl.transport.truststore_type: "JKS"

plugins.security.ssl.transport.truststore_filepath: "/usr/share/opensearch/config/tls-transport/truststore.jks"

plugins.security.ssl.transport.truststore_alias: "transport-truststore-ca"

Relevant Logs or Screenshots:

\[2025-10-16T17:07:41,909\]\[ERROR\]\[o.o.t.n.s.SecureNetty4Transport\] \[ssdl-app-logging-opensearch-manager-0\] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: (certificate_unknown) Received fatal alert: certificate_unknown
javax.net.ssl.SSLHandshakeException: (certificate_unknown) Received fatal alert: certificate_unknown
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130) \~\[?:?\]
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) \~\[?:?\]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:363) \~\[?:?\]
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:287) \~\[?:?\]
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:202) \~\[?:?\]
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) \~\[?:?\]
at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:734) \~\[?:?\]
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:689) \~\[?:?\]
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:504) \~\[?:?\]
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:480) \~\[?:?\]
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:673) \~\[?:?\]
at io.netty.handler.ssl.JdkSslEngine.unwrap(JdkSslEngine.java:92) \~\[netty-handler-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.handler.ssl.JdkAlpnSslEngine.unwrap(JdkAlpnSslEngine.java:163) \~\[netty-handler-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:308) \~\[netty-handler-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1486) \~\[netty-handler-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1377) \~\[netty-handler-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1428) \~\[netty-handler-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) \~\[netty-codec-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) \~\[netty-codec-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) \~\[netty-codec-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) \[netty-transport-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) \[netty-transport-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) \[netty-transport-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357) \[netty-transport-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) \[netty-transport-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) \[netty-transport-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868) \[netty-transport-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) \[netty-transport-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796) \[netty-transport-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:697) \[netty-transport-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:660) \[netty-transport-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) \[netty-transport-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998) \[netty-common-4.1.125.Final.jar:4.1.125.Final\]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) \[netty-common-4.1.125.Final.jar:4.1.125.Final\]
at java.base/java.lang.Thread.run(Thread.java:1447) \[?:?\]

Leeroy · October 17, 2025, 9:36am

hey @latituder ,

Can you please share your full configs in code blocks?

Leeroy.

Topic		Replies	Views
Receiving SSLHandShakeException: certificate_unkown Security	16	7257	October 21, 2021
Opensearch-2.3.0 multinode SSL setup issue Security troubleshoot , configure , install	13	969	December 10, 2022
SSL Certificate Error "unknown_certificate" Security	32	9293	August 17, 2022
Certificate_unknown logged upon each successful request from Chrome or Edge Security	5	817	August 25, 2023
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown Security configure	2	4729	May 30, 2023

Certificate_unknown in opensearch 3.3

Related topics