How to handle ssl certs for remote cluster for reindex api?

ericallen · July 19, 2022, 8:21pm

I am trying to use the reindex api to copy an index from a remote cluster into the local cluster. What is the process for adding the cert for the remote cluster in order to connect? I have tried added the remote CA and intermediary to the plugins.security.ssl.transport.pemtrustedcas_filepath and plugins.security.ssl.http.pemtrustedcas_filepath but no luck.

Any suggestion on getting connection to a remote cluster working?

Error when trying to run reindex

{
  "error" : {
    "root_cause" : [
      {
        "type" : "s_s_l_handshake_exception",
        "reason" : "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
      }
    ],
    "type" : "s_s_l_handshake_exception",
    "reason" : "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
    "caused_by" : {
      "type" : "validator_exception",
      "reason" : "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
      "caused_by" : {
        "type" : "sun_cert_path_builder_exception",
        "reason" : "unable to find valid certification path to requested target"
      }
    }
  },
  "status" : 500
}

pablo · July 22, 2022, 1:28pm

@ericallen Have you added remote certs on both sides? Both sides should contain local and remote CA certificates in one .pem file.

drosenst · July 17, 2023, 1:24pm

What is the configuration i need to use the installed cert? In elasticsearch it was reindex.ssl.truststore.path
What would be the equivalent of that?

Eugene7 · July 17, 2023, 4:13pm

What versions of OpenSearch do you use for remote and local clusters?

drosenst · July 17, 2023, 6:29pm

I am reindexing from elastic 8.7 to opensearch 1.2.0
The issue i have is that i have a cert i need to install. The cert is in my confimap but i dont know the parameter I need to set to point to the certificate

Eugene7 · July 19, 2023, 9:53am

Hi @drosenst

Can you try to run the following command? Please use your user credentials that you used in the reindex request.

curl -k -u username:password -XGET "https://remote_cluster_hostname:9200/"

Also, please share your opensearch.yml and elasticsearch.yml.

Eugene7 · July 19, 2023, 11:00am

Also, you need to concatenate all of the following into a single .pem file :

the root-CA of the local cluster
all the intermediate CAs of the local cluster
the root-CA of the remote cluster
all the intermediate CAs of the remote cluster

You can concatenate this into a single “chain.pem” file, for example. You will need to make this file available on both clusters.

drosenst · July 20, 2023, 5:47am

what parameter do i set in the opensearch.yml to use the cert in reindex?
When i access the elasticsearch index i added the cert to my connection object in my python code.
So what i am trying to do is add the same pem to teh helm chart and then know what param to set in the opensearch.yml.
Thanks

Eugene7 · July 21, 2023, 2:50pm

Hi @drosenst

You can use reindex.ssl.truststore.path parameter in opensearch.yml.

Reindex API for OpenSearch 1.2 doesn’t work with the remote server ElasticSearch 8.7 in my lab. But Reindex API for OpenSearch 2.x works well with remote server ElasticSearch 8.7.

drosenst · July 23, 2023, 6:46am

Thanks a lot for the reply

saadopensearch · May 22, 2024, 12:01am

@Eugene7
I am still confused on how to make the file available on both the clusters?
I am using ElasticSearch 8.6.1 and Opensearch 2.12.0, what I am trying to do is to reindex the data from elasticsearch to opensearch and I am getting stuck into this error related to the certificate mismatch. Should I use the same certificates for both the elasticsearch and opensearch clusters? How should I solve this?

My ES is running on K8s and is being configured by the ES-K8s-operator, hence the certs for the elasticsearch and handled by the operator and the Opensearch is running in the same K8s cluster in another namespace and it is also configured via operator but is using the different certs which are not identical with the elasticsearch.

{"error":{"root_cause":[{"type":"s_s_l_handshake_exception","reason":"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}],"type":"s_s_l_handshake_exception","reason":"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target","caused_by":{"type":"validator_exception","reason":"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target","caused_by":{"type":"sun_cert_path_builder_exception","reason":"unable to find valid certification path to requested target"}}},"status":500}```

saadopensearch · May 22, 2024, 12:06am

@drosenst
Are you able to resolve this at your end? and what version of Elasticsearch and Opensearch you are having?

Topic		Replies	Views
"SSL Problem PKIX path building failed" & "certificate_unknown" when changing admin certificates Security	1	5091	December 18, 2019
Replacing demo certificates with my organization certificates is not working Security troubleshoot	7	1543	January 12, 2022
Migration from Elastic Search 7.10 with xpack.security to Opensearch 2x OpenSearch	1	408	July 27, 2023
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Open Source Elasticsearch and Kibana	13	12650	April 16, 2024
Error while executing securityadmin.sh in OS 1.2.4 Security security-issue	19	839	October 26, 2023

How to handle ssl certs for remote cluster for reindex api?

Related topics