Describe the issue:
I would like to configure the security plugin with a certificate chain, so that the CA certificate is composed by intermediate CA + root CA. If I put the entire chain (node certificate + intermediate CA + root CA) as value of
plugins.security.ssl.transport.pemcert_filepath
and
plugins.security.ssl.http.pemcert_filepath
the service starts, but the securityadmin.sh returns this message:
Security Admin v7
Will connect to HOSTNAME:9200 … done
ERR: An unexpected SSLHandshakeException occured: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
See Java high-level REST client - OpenSearch documentation for troubleshooting.
Trace:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
See Java high-level REST client - OpenSearch documentation for troubleshooting.
at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:947)
at org.opensearch.client.RestClient.performRequest(RestClient.java:332)
at org.opensearch.client.RestClient.performRequest(RestClient.java:320)
at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:462)
at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:159)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Do you have any idea how to solve this issue?
Thanks.
@enricofplugins.security.ssl.http.pemcert_filepath should contain only intermediate CA + root CA.
Please be aware that the admin certificate should be signed by the same Intermediate/RootCA as the node cert. If they’re different then you need to add the admin’s RootCA to that chain.pem file too.
-----BEGIN CERTIFICATE-----
< intermediate CA cert>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Root CA cert >
-----END CERTIFICATE-----
Hi Pablo
thanks for the fast response.
Do you mean I should remove the node certificate from che chain.pem file and put this chain.pem as value for plugins.security.ssl.http.pemcert_filepath and also for plugins.security.ssl.transport.pemcert_filepath ?
And what about plugins.security.ssl.transport.pemtrustedcas_filepath and plugins.security.ssl.http.pemtrustedcas_filepath? Should they contain only the root CA?
Hi Pablo,
it works with an admin cert signed by the same Intermediate/RootCA as the node cert.
It does not work if the admin cert is signed by a different CA, even if I add the admin cert CA to the .pem file as value of *.pemtrustedcas_filepath as you suggested, such as:
-----BEGIN CERTIFICATE-----
< node intermediate CA cert>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< node Root CA cert >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< admin Root CA cert>
-----END CERTIFICATE-----
I tried also the reverse order with no success.
Do you have any idea?
Thanks for your help.
@enricof Did you try with just rootCAs in pemtrustedcas and intermediate with node cert in both plugins.security.ssl.transport.pemcert_filepath and plugins.security.ssl.http.pemcert_filepath?
pemtrustedcas
-----BEGIN CERTIFICATE-----
< node Root CA cert >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< admin Root CA cert>
-----END CERTIFICATE-----
ERR: An unexpected SSLHandshakeException occured: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I too encountered this problem. I have one CA for the REST / transport layer certificates (trusted by browsers) and another self-signed CA for the admin certificate.
I configured pemtrustedcas as a concatenation of my two root CA certificates.
I configured pemcert as the node cert concatenated with all intermediate certificates except the root CA certificate.
I used the same pemtrustedcas and pemcert file for the REST and transport layer.
What worked for me was to run the securityadmin.sh script with a -cacert file argument using the same file as pemtrustedcas (a concatenation of the two different root CA certificates).
I hope this helps someone struggle less than I did