Multinode Opensearch - SSL based - ERROR: Received fatal alert: certificate_unknown

Iqra_shafiq · May 27, 2024, 10:59am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch Version: 2.11.0
Server OS: Ubuntu 22.04
Browser: Google Chrome

Problem:
I have 2 Vms and each of them have an opensearch instance running on the host. I am able to get results from the curl request.

curl -u admin:opensearch123 -k -X GET "https://192.168.0.28:9200/_cluster/health?pretty"

And it gives following output:

{
  "cluster_name" : "my-application",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 2,
  "number_of_data_nodes" : 2,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 5,
  "active_shards" : 10,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

The problem is, when I open my browser and type “https://192.168.0.9200”
I receive following error in logs:

[2024-05-27T10:41:47,137][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-2] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

Configuration:
opensearch.yml of one instance is:

cluster.name: my-application
node.name: node-1
path.data: /var/es/data
path.logs: /var/es/logs
network.host: 192.168.0.28
discovery.seed_hosts: ["192.168.0.28", "192.168.0.13"]
cluster.initial_cluster_manager_nodes: ["node-1", "node-2"]
plugins.security.disabled: false
plugins.security.ssl.transport.pemcert_filepath: /opt/opensearch/config/certs/node1.pem
plugins.security.ssl.transport.pemkey_filepath: /opt/opensearch/config/certs/node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /opt/opensearch/config/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /opt/opensearch/config/certs/node1.pem
plugins.security.ssl.http.pemkey_filepath: /opt/opensearch/config/certs/node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /opt/opensearch/config/certs/root-ca.pem
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - 'CN=A,OU=UNIT,O=ORG,L=isb,ST=punjab,C=pk'
plugins.security.nodes_dn:
  - 'CN=192.168.0.28,OU=UNIT,O=ORG,L=isb,ST=punjab,C=pk'
  - 'CN=192.168.0.13,OU=UNIT,O=ORG,L=isb,ST=punjab,C=pk'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]

opensearch.yml of other instance is:

cluster.name: my-application
node.name: node-2
path.data: /var/es/data
path.logs: /var/es/logs
network.host: 192.168.0.13
discovery.seed_hosts: ["192.168.0.28", "192.168.0.13"]
cluster.initial_cluster_manager_nodes: ["node-1", "node-2"]
plugins.security.disabled: false
plugins.security.ssl.transport.pemcert_filepath: /opt/opensearch/config/certs/node1.pem
plugins.security.ssl.transport.pemkey_filepath: /opt/opensearch/config/certs/node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /opt/opensearch/config/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /opt/opensearch/config/certs/node1.pem
plugins.security.ssl.http.pemkey_filepath: /opt/opensearch/config/certs/node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /opt/opensearch/config/certs/root-ca.pem
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - 'CN=A,OU=UNIT,O=ORG,L=isb,ST=punjab,C=pk'
plugins.security.nodes_dn:
  - 'CN=192.168.0.13,OU=UNIT,O=ORG,L=isb,ST=punjab,C=pk'
  - 'CN=192.168.0.28,OU=UNIT,O=ORG,L=isb,ST=punjab,C=pk'
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]

I am using same root CA and admin certificates. Only node certificates are changed. Following are the commands using which I have generated my certifcates:

#ROOT CA certificates
openssl genrsa -out root-ca-key.pem 2048
openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/C=pk/ST=punjab/L=isb/O=ORG/OU=UNIT/CN=ROOT" -out root-ca.pem -days 730

#Admin certifcates
openssl genrsa -out admin-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
openssl req -new -key admin-key.pem -subj "/C=pk/ST=punjab/L=isb/O=ORG/OU=UNIT/CN=A" -out admin.csr
openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730

#Node certificates:
#I have generated IP bound certificates for each node
openssl genrsa -out node1-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1-key.pem
openssl req -new -key node1-key.pem -subj "/C=pk/ST=punjab/L=isb/O=ORG/OU=UNIT/CN=192.168.0.13" -out node1.csr
sudo sh -c 'echo subjectAltName=IP:192.168.0.13 > node1.ext'
openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730 -extfile node1.ext

Please tell how can I view this in browser and avoid this error?
Is this issue related to internal users?

shubham95 · May 30, 2024, 1:17pm

hello, are you still getting same error ?

pablo · May 30, 2024, 8:49pm

@shubham95 Do you get a Security error in the browser? This is expected when your certificates are self-signed.
Also, this is valid when your certificate has only FQDN in CN and SAN but no IP address.
As per your post, you’re using an IP address to connect with the OpenSearch node.

You can ignore the error if you’re OK with certs.

You could avoid this error by adding the Root CA to your OS or browser keystore as a Trusted CA.

Iqra_shafiq · June 1, 2024, 7:45am

I changed the browser and everything is fine. Although error is coming in logs but I am able to do the queries from my cluster. Also, opensearch-dashboards are communicating well.

Topic		Replies	Views
Received fatal alert: certificate_unknown - cluster Security	1	1151	July 6, 2023
Certificate_unknown logged upon each successful request from Chrome or Edge Security	5	730	August 25, 2023
Received fatal alert: certificate_unknown (letsencrypt, opensearch) Security security-issue	1	215	May 22, 2024
OpenSearch Security not initialized.opensearch .\| [ERROR][o.o.s.s.t.SecuritySSLNettyTransport] [26275-7070770-stage-ipm-mdmp.ibm.com] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal error Security discuss , troubleshoot , configure , install , security-issue	7	965	September 25, 2024
Receiving SSLHandShakeException: certificate_unkown Security	16	5582	October 21, 2021

Multinode Opensearch - SSL based - ERROR: Received fatal alert: certificate_unknown

Related topics