Disable Webhook TLS / Security?

Dandy · February 6, 2020, 7:53am

I’m testing out some webhook on an unsecure server. However, I am getting a certificate validation error from the ES Nodes:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alert.createSSLException(Alert.java:128) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:321) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:264) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:259) ~[?:?]

I suppose this is expected but I don’t see anything in the docs on disabling TLS validation for webhooks?

Does anyone know how?

Mr_Hedgehog · April 6, 2021, 3:54pm

Hi Dandy,

Did you ever get a reply to this question? I am having a very similar error where I am hitting a custom webhook endpoint with a self-signed cert.

I can’t find any configuration to include the self-signed CA cert.

Dandy · April 7, 2021, 2:28am

@Mr_Hedgehog I think I figured this out but I don’t remember how exactly.

I think I just ended up using LetsEncrypt to create valid certificates to save me pain.

pablo · April 8, 2021, 1:31pm

@Mr_Hedgehog @Dandy what version of ODFE are you on?
I know that 1.10, 1.11 and 1.12 didn’t handle self-signed certs at all.

Mr_Hedgehog · April 8, 2021, 2:09pm

Hi there, it is version 1.12.0 (docker).

pablo · April 8, 2021, 4:03pm

@Mr_Hedgehog can you try with 1.13.0 or 1.9.0?

Mr_Hedgehog · August 10, 2021, 1:36pm

Hi there,

I know some time has passed since I last wrote on this topic, but I have updated my cluster to 1.13.1 (docker) and I still have the issue above.

I have a custom webhook alert receiver setup and when firing the alert, I ‘blows up’ with the exception below:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:369) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:312) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:307) ~[?:?]
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357) ~[?:?]

I have tried to add my CA to the root-ca.pem file referenced by both opendistro_security.ssl.transport.pemtrustedcas_filepath and opendistro_security.ssl.http.pemtrustedcas_filepath but that does not appear to have resolved the issue.

I am now considering adding the CA to the /etc/pki/ca-trust/source/anchors file in the Centos 7 image.

Any community thoughts? Thanks.

hailong · December 20, 2023, 3:07pm

You probably need install the self-signed CA cert into java default keystore

keytool -import -trustcacerts -alias mycert -file /path/to/mycert.pem -keystore $JAVA_HOME/lib/security/cacerts

Topic		Replies	Views
TLS/SSL issue - javax.net.ssl.SSLHandshakeException Security	5	5194	April 6, 2021
ERR: An unexpected SSLHandshakeException occured: PKIX path building failed: Security	9	1422	April 10, 2023
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Open Source Elasticsearch and Kibana	13	8814	April 16, 2024
PKIX path validation failed Security	3	4442	February 8, 2021
Slack notification invalid cert path Alerting	1	458	August 27, 2021

Disable Webhook TLS / Security?

Related Topics