Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException

Security
, ,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Issue related to Opensearch. I have configured ssl certificates by following the “Generating self-signed certificates - OpenSearch documentation” link. I am using
helm-charts/charts/opensearch at main · opensearch-project/helm-charts · GitHub” helm chart.

Describe the issue:
I have created two certificates, an admin certificate and a root certificate, and added root-ca.pem, admin.pem, and admin-key.pem to the configuration file as suggested in the official document. I converted the certificate and private key to base64 format and stored the encoded certificate value in Kubernetes’ secret.
After installing the OpenSearch Helm chart, I am getting the below error.

[2023-02-20T10:30:09,269][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [opensearch-cluster-master-0] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca

Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca

Configuration:

plugins:
  security:
    ssl:
      transport:
        pemcert_filepath: certs/tls.crt
        pemkey_filepath: certs/tls.key
        pemtrustedcas_filepath: auth/tls.crt
        enforce_hostname_verification: false
        resolve_hostname: false
      http:
        enabled: true
        pemcert_filepath: certs/tls.crt
        pemkey_filepath: certs/tls.key
        pemtrustedcas_filepath: auth/tls.crt
        enabled_ciphers: ["TLS_DHE_RSA_WITH_AES_256_CBC_SHA","TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"]
        enabled_protocols:
          - TLSv1.1
          - TLSv1.2
    allow_unsafe_democertificates: true
    allow_default_init_securityindex: true

secretMounts:

  • name: opensearch-certs
    secretName: opensearch-certs-tls
    path: /usr/share/opensearch/config/certs
  • name: root-cert
    secretName: root-cert
    path: /usr/share/opensearch/config/auth

Relevant Logs or Screenshots:

[2023-02-20T10:30:09,269][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [opensearch-cluster-master-0] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:358) ~[?:?]
at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) ~[?:?]
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:204) ~

os1
os11209×722 87.2 KB

2

plugins.security.ssl.transport.pemtrustedcas_filepath

plugins.security.ssl.http.pemtrustedcas_filepath

You might need to update those to point to the CA that was used to sign the tls certs?