Opensearch python error: certificate verify failed: unable to get issuer certificate

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

opensearchproject/opensearch:2.14.0
opensearch-py:2.6.0

Describe the issue:
Getting ssl error in opensearch.py.

opensearchpy.exceptions.SSLError: ConnectionError(HTTPSConnectionPool(host='vulcan.jlab.org', port=9200):
Max retries exceeded with url: /python-test-index
(Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] 
certificate verify failed: unable to get issuer certificate (_ssl.c:1129)')))) 
caused by: SSLError(HTTPSConnectionPool(host='vulcan.jlab.org', port=9200): 
Max retries exceeded with url: /python-test-index (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] 
certificate verify failed: unable to get issuer certificate (_ssl.c:1129)'))))

I am running:

from opensearchpy import OpenSearch, RequestsHttpConnection
host = 'vulcan.jlab.org'
port = 9200
# Define the authentication credentials
auth = ('invenio', 'mypassword')
ca_certs_path = '/path/to/ca.pem'
client = OpenSearch(
    hosts=[{'host': host, 'port': port}],
    http_auth=auth,
    use_ssl=True,
    verify_certs=True,
    ca_certs=ca_certs_path,
    ssl_assert_hostname= False,
    connection_class=RequestsHttpConnection
)

I tried running by removing connection_class=RequestsHttpConnection as well.

Same thing WORKS with curl.

 curl -XGET -u 'invenio:mypassword' --cacert ca.pem 'https://vulcan.jlab.org:9200'   
{
  "name" : "opensearch-node1",
  "cluster_name" : "opensearch-cluster",
  "cluster_uuid" : "CyDucXJ1Tler-GuZ2TYZ0g",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.14.0",
    "build_type" : "tar",
    "build_hash" : "aaa555453f4713d652b52436874e11ba258d8f03",
    "build_date" : "2024-05-09T18:51:00.973564994Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Configuration:
config.yml

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
    # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
    # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
    #filtered_alias_mode: warn
    #do_not_fail_on_forbidden: false
    kibana:
      multitenancy_enabled: true
      private_tenant_enabled: true
      default_tenant: global_tenant
      server_username: "kibanaserver" 
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
        #internalProxies: '.*' # trust all internal proxies, regex pattern
        #remoteIpHeader:  'x-forwarded-for'
        ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
        ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
        ###### and here https://tools.ietf.org/html/rfc7239
        ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 4
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates"
        http_enabled: false
        transport_enabled: false
        order: 2
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn #optional, if omitted DN becomes username
          challenge: false
        authentication_backend:
          type: noop

opensearch.yml

cluster.name: "opensearch-cluster"
node.name: "opensearch-node1"
network.host: _site_ 
http.port: 9200
discovery.seed_hosts: ["opensearch-node1"] 
cluster.initial_master_nodes: ["opensearch-node1"] 

# Security settings
plugins.security.ssl.transport.pemcert_filepath: certificates/hostcert.pem
plugins.security.ssl.transport.pemkey_filepath: certificates/hostkey.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: certificates/ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: certificates/hostcert.pem
plugins.security.ssl.http.pemkey_filepath: certificates/hostkey.pem
plugins.security.ssl.http.pemtrustedcas_filepath: certificates/ca.pem

plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - CN=vulcan.jlab.org,O=Thomas Jefferson National Accelerator Facility,ST=Virginia,C=US,DC=incommon,DC=org

plugins.security.nodes_dn:
  - 'DC = org, DC = incommon, C = US, ST = Virginia, O = Thomas Jefferson National Accelerator Facility, CN = vulcan.jlab.org'

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
opendistro_security.audit.config.disabled_rest_categories: NONE
opendistro_security.audit.config.disabled_transport_categories: NONE

Relevant Logs or Screenshots:

Hi @panta,

Does it work if you set verify_certs to False?

verify_certs=False

Best,
mj