Configure remote search with differing CAs

I’m trying to set up remote search between multiple clusters. The problem I’m running into is that the clusters have different CAs that issued their node certificates, and therefore, the clusters can’t talk to each other using transport on port 9300. Is there a solution to this?

Hi @retorpigs

Do your files, which are defined in the parameters below, contain RootCAs from both clusters?

plugins.security.ssl.transport.pemtrustedcas_filepath
plugins.security.ssl.http.pemtrustedcas_filepath

@Eugene7 I tried adding both certs to one file, but that didn’t seem to work. Can I somehow add both files?

Have you used the format, which I put below, in that root certificate file?

-----BEGIN CERTIFICATE-----
<local RootCA certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<remote RootCA certificate>
-----END CERTIFICATE-----

Did you have the same files and configuration, which I mentioned before, for both clusters?

Also, please try to test the connection from the ES node using the curl command and the certificates of the remote certificate:

curl --insecure --cert <node_cert> --key <node_key> -XGET https://<remote_OpenSearch_node>:9200 

I did use that format for the root cert, and it didn’t work. when I copy the esnode cert/key, and the root CA from the remote cluster, everything works fine.
I even tried using a keystore and truststore, and put both CA in the trust store, but that didn’t work either.

Okay, im realizing now that when I put the other root ca back to back in the root-ca.pem file, the java error changes from “unable to find valid certification path to requested target” to “Received fatal alert: bad_certificate”

Okay, solved. I didnt realize that the remote cluster had to have the root CA of the coordinating cluster as well.
For anyone else running into problems, this thread helped: Cross cluster search between two clusters not working