pablo
November 3, 2025, 1:40pm
8
@muneer This workaround was mentioned today by one of the users.
Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 3.3.0
Describe the issue: I am trying to connect my local (docker) OpenSearch Cluster to an LLM that can only be accessed through our internal OpenRouter installation, that is secured by our internal CA. I am unable to provide the CA to OpenSearch for outgoing HTTPS connections. I end up having:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException…
SOLVED
Solved the issue after a good deal of trial and error.
The notification channels outgoing httpclient uses the Java Runtime trust store, and NOT the opensearch truststore for verifying connections.
This is important, as it means you will have to trust your CA with Javas cacerts truststore as well.
This can be done by:
Access your container as root, in order to have sufficient privileges: docker exec -u root -it opensearch_container_name bash
Read your existing truststore and veri…
I have followed the steps and successfully connected to my Ollama with HTTPS.
@FalcoSuessgott I’ve tested solution provided in the shared link and I was able to connect to my remote Ollama with HTTPS and self-signed certificate.
These were my steps.
Copy cacerts keystore from the running OpenSearch Docker
docker cp opensearch-node1_3.3.0:/usr/share/opensearch/jdk/lib/security/cacerts .
Get certificate from Ollama instance
openssl s_client -connect ollama.pablo.local:443
Save certificate into ollama.crt
Add ollama.crt to the carets keystore
keytool -import -nopro…