When trying to login to Opensearch Dashboards, dashboard is not loading, with an “The page isnt working, <kibana/os-dash>.internal.lan redirected too many times” error. Login is using OIDC configuration with Keycloak as the SSO connect provider. Can see that a JWT token is being returned to Opensearch with a valid role that Opensearch can use. Using truststore configured in Opensearch.yml. OSS, OS-Dash running as containers, v1.2.0 and default configuration, except that self-signed certs are used everywhere.
When I put the truststore in as runtime parameter (not an Opensearch.yml ssl configuration), SSO from OS-Dash to Opensearch works as expected. Error I am getting in Opensearch is:
[2022-01-15T11:06:31,459][DEBUG][c.a.d.a.h.j.k.SelfRefreshingKeySet] [ossearch.internal.lan] performRefresh(pNYNaCIKS5HmZcc8zs-TMtjPnC_cY04BVbJ5amioNhI)
[2022-01-15T11:06:31,459][INFO ][c.a.d.a.h.j.k.SelfRefreshingKeySet] [ossearch.internal.lan] Performing refresh 1
[2022-01-15T11:06:31,614][INFO ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [ossearch.internal.lan] com.amazon.dlic.auth.http.jwt.keybyoidc.AuthenticatorUnavailableException: Authentication backend failed
[2022-01-15T11:06:31,614][WARN ][o.o.s.h.HTTPBasicAuthenticator] [ossearch.internal.lan] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2022-01-15T11:06:31,615][WARN ][o.o.s.a.BackendRegistry ] [ossearch.internal.lan] Authentication finally failed for null from 10.0.5.8:45846
[2022-01-15T11:06:31,614][WARN ][c.a.d.a.h.j.k.SelfRefreshingKeySet] [ossearch.internal.lan] KeySetProvider threw error
com.amazon.dlic.auth.http.jwt.keybyoidc.AuthenticatorUnavailableException: Error while getting https://sso.internal.lan/auth/realms/master/.well-known/openid-configuration: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.amazon.dlic.auth.http.jwt.keybyoidc.KeySetRetriever.getJwksUri(KeySetRetriever.java:149) ~[opensearch-security-1.2.0.0.jar:1.2.0.0]
at com.amazon.dlic.auth.http.jwt.keybyoidc.KeySetRetriever.get(KeySetRetriever.java:70) ~[opensearch-security-1.2.0.0.jar:1.2.0.0]
at com.amazon.dlic.auth.http.jwt.keybyoidc.SelfRefreshingKeySet$1.run(SelfRefreshingKeySet.java:214) [opensearch-security-1.2.0.0.jar:1.2.0.0]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?]
at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) [?:?]
at java.lang.Thread.run(Thread.java:832) [?:?]
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
And in Opensearch Dashboards:
log [11:10:16.305] [error][data][opensearch] [ConnectionError]: connect ECONNREFUSED ossearch.internal.lan:9200
log [11:10:16.728] [error][data][opensearch] [ConnectionError]: connect ECONNREFUSED ossearch.internal.lan:9200
...
Note, I have verified that the truststore in the running OSS container works from OSS to keycloak, by adding SSLPoke to image and testing:
verifying truststore on the broken instance (the one with above error); mounting SSLPoke and using truststore.jks:
Also, if I add -Djavax.net.ssl.trustStore=/usr/share/opensearch/config/truststore.jks to the container run command, I am not getting this issue (ie go to OSS url, redirects to keycloak, JWT token is returned, and I am logged into OS-Dashboards:
docker run -e OPENSEARCH_JAVA_OPTS="-Djavax.net.ssl.trustStore=/usr/share/opensearch/config/truststore.jks" opensearchproject/opensearch:1.2.0