"error": "unable to find valid certification path to requested target",

@pablo , I found the root cause, I login into the container, try this, SSL failed, the container seems does not have this CA for artifacts.opensearch.org(CNAME to d2czzf4vq4ccyb.cloudfront.net)

curl -l https://artifacts.opensearch.org/models/ml-models/huggingface/sentence-transformers/msmarco-distilbert-base-tas-b/1.0.1/onnx/sentence-transformers_msmarco-distilbert-base-tas-b-1.0.1-onnx.zip

curl: (60) SSL certificate problem: unable to get local issuer certificate

curl failed to verify the legitimacy of the server and therefore could not

establish a secure connection to it. To learn more about this situation and

how to fix it, please visit the web page mentioned above.

I use the CNAME target d2czzf4vq4ccyb.cloudfront.net, SSL works:
curl -l https://d2czzf4vq4ccyb.cloudfront.net/models/ml-models/huggingface/sentence-transformers/msmarco-distilbert-base-tas-b/1.0.1/onnx/sentence-transformers_msmarco-distilbert-base-tas-b-1.0.1-onnx.zip

Warning: Binary output can mess up your terminal. Use “–output -” to tell

Warning: curl to output it to your terminal anyway, or consider "–output

Warning: " to save to a file.

I change the url to use d2czzf4vq4ccyb.cloudfront.net and it works now when register the model. So this is because the container does not have the CA certificate for artifacts.opensearch.org, But I don’t understand why you works since we use same docker compose file, the docker should be same

@pablo I found the root cause, I change the domain to the CNAME target d2czzf4vq4ccyb.cloudfront.net and it worked, So this is because the container does not have the CA root certificate for this domain artifacts.opensearch.org.
But I do know why you could work since we are using same docker compose file and the container should be same

I encounter another issue when deploy the model

“error”: “”“{“4iTSMnXUTEedGfYGgdItew”:“no onnxruntime in java.library.path: :/usr/share/opensearch/plugins/opensearch-knn/lib:/usr/java/packages/lib:/usr/lib64:/lib64:/lib:/usr/lib”,”_Bxw_WjwTBSh3jZ5M4JIQw":“no onnxruntime in java.library.path: :/usr/share/opensearch/plugins/opensearch-knn/lib:/usr/java/packages/lib:/usr/lib64:/lib64:/lib:/usr/lib”}“”",

I think opensearch doc/support is not good, disappoint

@smith What is your Docker host OS? I’m using Ubuntu 20.04 and 22.04

What user did you use to deploy the model?

@pablo ,I am using mac OS and I am using a personal user to deploy this. I tried Ubuntu it works(also use a persoanl user to run the docker). This is docker, why it depends on the Host OS?

@smith I think the docker service might use OS’s certificate keystore to validate CAs in SSL connections.

@smith Did you get any solution for it?
It is working in my personal laptop, but giving the same issue in office laptop.

I have a similar problem, in my case I have opensearch with Certificate Authentication enabled. I can connect to opensearch with curl command to register the ml:

$ curl -k --cert {cert} --key {cert key} -X POST ‘https://localhost:9200/_plugins/_ml/models/_register?deploy=true’ -H ‘Content-Type: application/json’ -d ‘{“name”:“amazon/neural-sparse/opensearch-neural-sparse-encoding-doc-v2-distill”,“version”:“1.0.0”,“model_format”:“TORCH_SCRIPT”}’

Getting response:
{“task_id”:“gko0_ZEBO2TvFnwiBb5x”,“status”:“CREATED”}

Also I am able to connect with OpenSearch Dashboard and do the same. In both cases, I got the same error described above.
Does OpenSearch ML support Certificate Authentication? Is there a specific configuration for ML to use it with Certificate Security?

@gilberto The initial issue is not related to certificate authentication.
During the ML registration, OpenSearch couldn’t verify the CA of the certificate.
OpenSearch was setting up a connection as a client against an HTTPS endpoint without authentication headers.

@mayanklohani19

Does your office have any firewall?
I think the connection to download ONNX(or PyTorch) files will be blocked.