Disable Webhook TLS / Security?

I’m testing out some webhook on an unsecure server. However, I am getting a certificate validation error from the ES Nodes:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alert.createSSLException(Alert.java:128) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:321) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:264) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:259) ~[?:?]

I suppose this is expected but I don’t see anything in the docs on disabling TLS validation for webhooks?

Does anyone know how?

Hi Dandy,

Did you ever get a reply to this question? I am having a very similar error where I am hitting a custom webhook endpoint with a self-signed cert.

I can’t find any configuration to include the self-signed CA cert.

@Mr_Hedgehog I think I figured this out but I don’t remember how exactly.

I think I just ended up using LetsEncrypt to create valid certificates to save me pain.

@Mr_Hedgehog @Dandy what version of ODFE are you on?
I know that 1.10, 1.11 and 1.12 didn’t handle self-signed certs at all.

Hi there, it is version 1.12.0 (docker).

@Mr_Hedgehog can you try with 1.13.0 or 1.9.0?

Hi there,

I know some time has passed since I last wrote on this topic, but I have updated my cluster to 1.13.1 (docker) and I still have the issue above.

I have a custom webhook alert receiver setup and when firing the alert, I ‘blows up’ with the exception below:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:369) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:312) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:307) ~[?:?]
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357) ~[?:?]

I have tried to add my CA to the root-ca.pem file referenced by both opendistro_security.ssl.transport.pemtrustedcas_filepath and opendistro_security.ssl.http.pemtrustedcas_filepath but that does not appear to have resolved the issue.

I am now considering adding the CA to the /etc/pki/ca-trust/source/anchors file in the Centos 7 image.

Any community thoughts? Thanks.