Curl call returns 500 error

** On behalf of Slack user **

"Hi all, I am doing a POC on calling a plugin from another plugin through a rest api and passing in the credentials through basic auth.
Essentially its a call like this:

curl -XGET https://localhost:9200/_plugins/_alerting/monitors/asdasdsad --insecure -H "Authorization: Basic YWRtaW46YWRtaW4="

where YWRtaW46YWRtaW4= decodes to admin:admin I am getting this error:

{"error":{"root_cause":[{"type":"s_s_l_handshake_exception","reason":"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}],"type":"s_s_l_handshake_exception","reason":"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target","caused_by":{"type":"validator_exception","reason":"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target","caused_by":{"type":"sun_cert_path_builder_exception","reason":"unable to find valid certification path to requested target"}}},"status":500}

Do you have any ways around that or exactly what else I need to fix this error?For reference, I am using the docker distribution for OS 2.11.0"

Hi @Ashish Agrawal,

Could you please test with the below curl command?

curl --insecure -uadmin:admin -XGET https://localhost:9200/_plugins/_alerting/monitors/asdasdsad

Best,
Mantas

That call works. I am trying to pass the credentials through the headers only. My initial command worked on a different cluster, but not on the docker cluster, so the cert files generated for the docker might just be out of date since the docker image was generated a while ago.

Yes, that is indeed worth checking, while you are on that could you please share your config.yml to check your authentication configuration?

Note: remove all sensitive information (i.e.: passwords, IP addresses, etc…)

Thanks,
Mantas

Actually the real issue is where I am trying to call another plugin from one of the plugins (I modified the alerting plugin’s get monitor api to call a notification api). There I pass the Authorization: Basic YWRtaW46YWRtaW4= in the header and I get the exception shown above.

Hi @ashisagr-amzn

Have you checked if your certificates are still valid?

You could try:

openssl s_client -connect localhost:9200 -showcerts 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -text

Thanks,
Mantas

Yes it is:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            66:3a:e5:0c:f3:fc:6b:34:43:3d:97:21:03:f5:c4:b3:1d:17:da:22
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=com, DC=example, O=Example Com Inc., OU=Example Com Inc. Root CA, CN=Example Com Inc. Root CA
        Validity
            Not Before: Aug 29 04:23:12 2023 GMT
            Not After : Aug 26 04:23:12 2033 GMT
        Subject: C=de, L=test, O=node, OU=node, CN=node-0.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a6:f7:79:17:b5:e0:d0:1c:c0:2f:6d:43:cd:3d:
                    6e:69:c9:11:ca:0c:3e:36:5c:65:92:82:ad:24:d4:
                    3d:bd:0b:f5:1d:c8:bd:b5:1c:bc:d3:25:ae:3d:65:
                    4d:a5:74:89:12:2a:cf:49:a9:b9:07:77:22:b4:a3:
                    c3:0e:e8:bf:1d:a2:d2:e8:61:bc:43:59:b2:45:5b:
                    c6:e9:d7:0e:ad:0d:35:34:1c:69:27:e3:b5:d5:bb:
                    71:30:6d:fa:d3:10:d8:37:8c:5b:be:39:e9:ba:6b:
                    fe:74:d5:2c:c8:4f:32:56:b5:2d:1c:9f:67:48:14:
                    e0:62:99:35:69:4f:fe:19:bf:9a:ab:5c:0e:82:a7:
                    86:e2:3a:6a:13:61:68:62:fe:a4:25:f1:dd:08:68:
                    00:e2:aa:86:75:32:f6:5b:67:ac:7b:ea:a4:eb:44:
                    06:e0:f9:45:a4:a5:31:17:a0:7d:71:4d:cf:27:76:
                    26:d1:ef:e1:cf:e8:e4:ea:08:ab:e8:d4:d8:44:f2:
                    e3:f8:a5:8f:9f:59:de:9b:ea:5f:8a:2e:8d:c8:2a:
                    97:d3:6c:02:09:5c:83:be:33:ae:c5:2e:d5:8a:b6:
                    db:43:6a:8f:78:07:4e:bd:b2:4c:ca:93:a1:4f:81:
                    6f:ce:66:1e:8f:44:20:f4:a3:13:9a:bd:5f:a5:77:
                    64:a3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                Registered ID:1.2.3.4.5.5, DNS:node-0.example.com, DNS:localhost, IP Address:0:0:0:0:0:0:0:1, IP Address:127.0.0.1
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                D3:FA:83:41:A6:35:D2:32:28:C0:28:CB:52:9C:FF:1D:F4:17:CA:DF
            X509v3 Authority Key Identifier: 
                keyid:17:87:DF:A0:5A:EB:66:12:A7:D5:D0:F8:BA:12:45:3C:B7:2B:00:9C

    Signature Algorithm: sha256WithRSAEncryption
         3d:a1:92:77:55:8a:1e:93:5b:1a:1e:fe:83:96:d2:2d:81:ab:
         b4:9c:34:ef:e7:ef:fc:87:58:bd:38:1c:99:91:31:a1:ef:fd:
         78:dc:f3:32:c5:2e:01:ee:1d:a4:6f:0b:4d:a2:91:62:09:c9:
         07:f9:c4:9b:74:3a:ab:b6:19:56:ea:5c:7f:4f:04:62:ae:10:
         fd:a4:0a:c4:51:c9:4d:bb:cd:37:25:03:37:d0:86:a9:8a:05:
         36:10:ff:79:49:dc:68:51:42:f5:c8:75:84:de:fa:de:1a:ab:
         bf:13:09:ac:29:d6:74:8d:fa:f7:47:ff:58:1e:1b:a4:23:32:
         7e:4d:d4:55:3c:b6:8b:c3:77:8c:7c:21:bf:f4:76:ff:11:27:
         1f:a7:f6:0c:ad:23:c9:ff:82:22:1a:0c:21:1b:7c:b2:e9:7b:
         81:24:57:97:b9:50:da:4e:9d:18:09:8e:3b:b2:be:d6:6e:b5:
         cf:35:4d:09:f3:06:d9:12:f5:7b:ae:96:8b:c3:13:4a:88:fa:
         34:2b:2a:42:ae:f3:18:06:2e:18:07:d3:3c:67:3e:42:ad:52:
         0d:88:dc:0a:ba:ce:5d:4b:cd:89:04:39:41:7c:63:6e:49:e9:
         67:98:f3:c6:1f:9d:cd:22:8a:02:3e:3e:7c:f9:34:af:11:f4:
         62:fb:4d:8a

I tried using these steps and now I tried it with the 2.11.0 tar ball distribution instead of the docker distribution.

Please note I am calling a plugin API that I modified to also call another plugin through rest.

Could you share your opensearch.yml file, please?