Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException

Security
, ,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Issue related to Opensearch. I have configured ssl certificates by following the “Generating self-signed certificates - OpenSearch documentation” link. I am using
helm-charts/charts/opensearch at main · opensearch-project/helm-charts · GitHub” helm chart.

Describe the issue:
I have created two certificates, an admin certificate and a root certificate, and added root-ca.pem, admin.pem, and admin-key.pem to the configuration file as suggested in the official document. I converted the certificate and private key to base64 format and stored the encoded certificate value in Kubernetes’ secret.
After installing the OpenSearch Helm chart, I am getting the below error.

[2023-02-20T10:30:09,269][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [opensearch-cluster-master-0] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca

Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca

Configuration:

plugins:
  security:
    ssl:
      transport:
        pemcert_filepath: certs/tls.crt
        pemkey_filepath: certs/tls.key
        pemtrustedcas_filepath: auth/tls.crt
        enforce_hostname_verification: false
        resolve_hostname: false
      http:
        enabled: true
        pemcert_filepath: certs/tls.crt
        pemkey_filepath: certs/tls.key
        pemtrustedcas_filepath: auth/tls.crt
        enabled_ciphers: ["TLS_DHE_RSA_WITH_AES_256_CBC_SHA","TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"]
        enabled_protocols:
          - TLSv1.1
          - TLSv1.2
    allow_unsafe_democertificates: true
    allow_default_init_securityindex: true

secretMounts:

  • name: opensearch-certs
    secretName: opensearch-certs-tls
    path: /usr/share/opensearch/config/certs
  • name: root-cert
    secretName: root-cert
    path: /usr/share/opensearch/config/auth

Relevant Logs or Screenshots:

[2023-02-20T10:30:09,269][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [opensearch-cluster-master-0] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:358) ~[?:?]
at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) ~[?:?]
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:204) ~

os1
os11209×722 87.2 KB

2

plugins.security.ssl.transport.pemtrustedcas_filepath

plugins.security.ssl.http.pemtrustedcas_filepath

You might need to update those to point to the CA that was used to sign the tls certs?

3

the root CA (tls.crt) has two values the ffirst one of the domain, and the second contain the root ca of letsencrypt (R3), so plugins.security.ssl.transport.pemtrustedcas_filepath & plugins.security.ssl.http.pemtrustedcas_filepath are already configured and i still have same issues

4

@siradjeddine As per @jasonrojas comment both must be configured with CA certificates which have signed node certificates.
In your configuration, you’ve used the same CA certificate for CA and node certificate options.

You need to provide a node certificate with Server and Client attributes in plugins.security.ssl.transport.pemcert_filepath and plugins.security.ssl.http.pemcert_filepath

1 Like