"Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException" After upgrading to OpenSearch 3.3

Security
1

Versions OpenSearch 3.3.0 and 3.3.1 (running in Docker containers on Ubuntu 24.04)

Describe the issue: After upgrading from OpenSearch 3.2 to 3.3 my cluster’s nodes fail to communicate with each other giving errors about failing SAN validation.

[2025-10-28T11:39:35,587][ERROR][o.o.t.n.s.SecureNetty4Transport] [opensearch-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: (certificate_unknown) No subject alternative DNS name matching ``test-osc3.example.com`` found.

[2025-10-28T11:39:35,593][WARN ][i.n.c.AbstractChannelHandlerContext] [opensearch-1] An exception ‘OpenSearchSecurityException[The provided TCP channel is invalid.]; nested: DecoderException[javax.net.ssl.SSLHandshakeException: (certificate_unknown) No subject alternative DNS name matching ``test-osc3.example.com`` found.]; nested: SSLHandshakeException[(certificate_unknown) No subject alternative DNS name matching ``test-osc3.example.com`` found.]; nested: CertificateException[No subject alternative DNS name matching ``test-osc3.example.com`` found.];’ [enable DEBUG level for full stacktrace] was thrown by a user handler’s exceptionCaught() method while handling the following exception:
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: (certificate_unknown) No subject alternative DNS name matching ``test-osc3.example.com`` found.

I have disabled the demo certs and replaced them with ones signed by internal CA. Certs have valid SANs and CNs. All nodes have valid DNS names.

Issue happens with both rolling upgrade from 3.2 to 3.3 or 3.3.0 and clean install of 3.3.0 or 3.3.1. The same config has worked from 3.0 to 3.2. I did not notice changes that seem to be relevant for this from 3.3.x release notes.

Setting transport.ssl.enforce_hostname_verification to false in opensearch.yaml makes this error go away in 3.3.x. But why having it true with otherwise similar config worked from 3.0 to 3.2?

Configuration: Three node cluster.

My opensearch.yaml for node 1 (nodes 2 and 3 are identical with the exeption of node name/hostname):

cluster.name: test-opensearch

node.name: opensearch-1
node.roles:
  - cluster_manager
  - data
  - ingest

# Bind to all interfaces because we don't know what IP address Docker will assign to us
network.host: 0.0.0.0

# Cluster-manager-eligible nodes. Nodes connect to these, find out who is manager
# and ask how to join the cluster
discovery.seed_hosts:
  - test-osc1.example.com
  - test-osc2.example.com
  - test-osc3.example.com
# Nodes that take part in initial cluster manager election during cluster formation
# Has not effect once cluster is formed
cluster.initial_cluster_manager_nodes:
  - opensearch-1
  - opensearch-2
  - opensearch-3

# Disable JVM heap memory swapping
bootstrap.memory_lock: true

# Advertise DNS name instead of IP visible inside container (bind IP)
transport.publish_host: test-osc1.example.com

plugins.security.allow_unsafe_democertificates: false
# Workaround to make cluster start on version 3.3
#transport.ssl.enforce_hostname_verification: false
# This worked from 3.0 to 3.2
transport.ssl.enforce_hostname_verification: true
plugins.security.ssl.transport.pemcert_filepath: node.pem
plugins.security.ssl.transport.pemkey_filepath: node-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem

plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: node.pem
plugins.security.ssl.http.pemkey_filepath: node-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.authcz.admin_dn:
  - CN=test-opensearch-admin,O=ORG,C=xy
plugins.security.nodes_dn:
  - CN=test-osc1.example.com,O=ORG,C=xy
  - CN=test-osc2.example.com,O=ORG,C=xy
  - CN=test-osc3.example.com,O=ORG,C=xy

plugins.security.allow_default_init_securityindex: true

plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
  .plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,
  .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,
  .plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,
  .opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,
  .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,
  .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,
  .opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
  .geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
  .plugins-flow-framework-state, .plugins-search-relevance-experiment, .plugins-search-relevance-judgment-cache]

Node certs are like this, all signed by the same CA and CA cert is given to each node:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3a:76:b1:d3:5d:f8:eb:85:35:52:ef:4d:2f:df:bf:52:a8:e5:5b:7f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = xy, O = ORG, CN = test-opensearch-ca
Validity
Not Before: Oct 28 12:52:40 2025 GMT
Not After : Oct 27 12:52:40 2030 GMT
Subject: C = xy, O = ORG, CN = test-osc1.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:

Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:test-osc1.example.com
X509v3 Subject Key Identifier:
E3:45:1A:85:3E:62:0A:FC:AA:D5:D4:19:80:77:01:AB:F7:63:B5:BF
X509v3 Authority Key Identifier:
E3:54:A2:B4:B5:17:0F:C8:40:EF:85:41:76:30:63:D0:1F:2D:93:C6
Signature Algorithm: sha256WithRSAEncryption
Signature Value:

I wonder if this message, which appears on node startup before errors begin is relevant:

[2025-10-28T11:39:35,047][INFO ][o.o.t.TransportService ] [opensearch-1] publish_address {``test-osc1.example.com/127.0.0.1:9300``}, bound_addresses {[::]:9300}

Publishing 127.0.0.1 seems wrong as nodes can only reach each using DNS names or real public IPs.

What might I be doing wrong and how could make the cluster work with version 3.3 without disabling hostname verification?

What change from 3.2 to 3.3 caused this?

Thank you in advance.

Relevant Logs or Screenshots:

Errors given by a node after startup (all have similar messages):

[2025-10-28T11:39:35,047][INFO ][o.o.t.TransportService   ] [opensearch-1] publish_address {test-osc1.example.com/127.0.0.1:9300}, bound_addresses {[::]:9300}
[2025-10-28T11:39:35,216][INFO ][o.o.b.BootstrapChecks    ] [opensearch-1] bound or publishing to a non-loopback address, enforcing bootstrap checks
[2025-10-28T11:39:35,587][ERROR][o.o.t.n.s.SecureNetty4Transport] [opensearch-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: (certificate_unknown) No subject alternative DNS name matching test-osc3.example.com found.
javax.net.ssl.SSLHandshakeException: (certificate_unknown) No subject alternative DNS name matching test-osc3.example.com found.
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130) ~[?:?]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:376) ~[?:?]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:319) ~[?:?]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1212) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1155) ~[?:?]
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1207) ~[?:?]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1695) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1541) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1377) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1428) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[netty-codec-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[netty-codec-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[netty-codec-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:697) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:660) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998) [netty-common-4.1.125.Final.jar:4.1.125.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.125.Final.jar:4.1.125.Final]
at java.base/java.lang.Thread.run(Thread.java:1447) [?:?]
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching test-osc3.example.com found.
at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:207) ~[?:?]
at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:466) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:417) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:291) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1313) ~[?:?]
… 27 more
[2025-10-28T11:39:35,593][WARN ][i.n.c.AbstractChannelHandlerContext] [opensearch-1] An exception ‘OpenSearchSecurityException[The provided TCP channel is invalid.]; nested: DecoderException[javax.net.ssl.SSLHandshakeException: (certificate_unknown) No subject alternative DNS name matching test-osc3.example.com found.]; nested: SSLHandshakeException[(certificate_unknown) No subject alternative DNS name matching test-osc3.example.com found.]; nested: CertificateException[No subject alternative DNS name matching test-osc3.example.com found.];’ [enable DEBUG level for full stacktrace] was thrown by a user handler’s exceptionCaught() method while handling the following exception:
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: (certificate_unknown) No subject alternative DNS name matching test-osc3.example.com found.
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:500) ~[netty-codec-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[netty-codec-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:697) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:660) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998) [netty-common-4.1.125.Final.jar:4.1.125.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.125.Final.jar:4.1.125.Final]
at java.base/java.lang.Thread.run(Thread.java:1447) [?:?]
Caused by: javax.net.ssl.SSLHandshakeException: (certificate_unknown) No subject alternative DNS name matching test-osc3.example.com found.
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130) ~[?:?]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:376) ~[?:?]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:319) ~[?:?]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1212) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1155) ~[?:?]
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1207) ~[?:?]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1695) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1541) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1377) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1428) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[netty-codec-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[netty-codec-4.1.125.Final.jar:4.1.125.Final]
… 16 more
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching test-osc3.example.com found.
at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:207) ~[?:?]
at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:466) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:417) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:291) ~[?:?]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1313) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1212) ~[?:?]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1155) ~[?:?]
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1207) ~[?:?]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1695) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1541) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1377) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1428) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[netty-codec-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[netty-codec-4.1.125.Final.jar:4.1.125.Final]
… 16 more
[2025-10-28T11:39:35,597][ERROR][o.o.t.n.s.SecureNetty4Transport] [opensearch-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: (certificate_unknown) Received fatal alert: certificate_unknown
javax.net.ssl.SSLHandshakeException: (certificate_unknown) Received fatal alert: certificate_unknown
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130) ~[?:?]
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:363) ~[?:?]
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:287) ~[?:?]
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:202) ~[?:?]
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:734) ~[?:?]
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:689) ~[?:?]
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:504) ~[?:?]
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:480) ~[?:?]
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:673) ~[?:?]
at io.netty.handler.ssl.JdkSslEngine.unwrap(JdkSslEngine.java:92) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.ssl.JdkAlpnSslEngine.unwrap(JdkAlpnSslEngine.java:163) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:308) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1486) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1377) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1428) ~[netty-handler-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[netty-codec-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469) ~[netty-codec-4.1.125.Final.jar:4.1.125.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[netty-codec-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:796) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:697) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:660) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) [netty-transport-4.1.125.Final.jar:4.1.125.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998) [netty-common-4.1.125.Final.jar:4.1.125.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.125.Final.jar:4.1.125.Final]
at java.base/java.lang.Thread.run(Thread.java:1447) [?:?]
2

Curious, if you set transport.ssl.enforce_hostname_verification to false does it resolve the issue? That was the only change in this area from 3.2 to 3.3 that I know of.

3

@Opensearchuser ah, I see you have found the solution and left a comment in the opensearch.yml of the original post. There was a bug fix in this area that explains why it is now showing the issue in 3.3. I believe you need to update your certs according to the error message.

4

Thanks for response.

Any tips on what should I update on my certs? As far as I understand they should be good as they have the correct CN and SAN and are signed by CA and the CA’s cert is included in the config . I tried creating new certs but the error remains the same.

Also, could you point me to the issue about the bugfix related to this? I was unable to find it from 3.3’s release notes.

5

@Opensearchuser You can list all the hostnames in the SANs of the certificate and update opensearch.yml to advertise hostnames instead of IP using the following configuration:

version: '3'
services:
  opensearch-node1:
    image: opensearchproject/opensearch:${OS_VER}
    container_name: opensearch-node1_${OS_VER}
    env_file:
      - .env
    environment:
      - cluster.name=opensearch-cluster2
      ...
      - network.publish_host=opensearch-node1
      - transport.publish_host=opensearch-node1
      - http.publish_host=opensearch-node1
6

Thanks. This helped.

I had to also change my config of /etc/hosts because locally hostname test-osc1.example.com (and other nodes too) resolved to 127.0.0.1. Apparently the IP gets also published when OpenSearch is configured to publish the hostname. Other nodes of course cannot connect to remote nodes using localhost IP.

After fixing my hosts file so that hostname does not resolve to localhost IP I got the cluster to work with version 3.3 without disabling hostname verification.