Received fatal alert: certificate_unknown - cluster

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.8.0

Describe the issue:
When trying to configure Opensearch with my own certificates I receive the following error in the logs:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

When using the certificates bundled with Opensearch everything works as expected.

Configuration:
Podman config:
/usr/bin/podman container run --cidfile=%t/%n.ctr-id --cgroups=no-conmon
–rm --sdnotify=conmon -d --replace
–name opensearch
–privileged=False --log-driver journald
–network host --pid host
-e “cluster.name=foo”
-e “node.name=search1-dc1-docker-local”
-e “discovery.seed_hosts=search1-dc1-docker-local.${domain}”
-e “network.bind_host: [local, site]”
-e “cluster.initial_cluster_manager_nodes=search1-dc1-docker-local”
-e “OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g”
-v /tmp/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
-v /tmp/esnode.pem:/usr/share/opensearch/config/esnode.pem
-v /tmp/esnode-key.pem:/usr/share/opensearch/config/esnode-key.pem
-v /tmp/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
docker.io/opensearchproject/opensearch:latest

opensearch.yml
cluster.name: foo

Bind to all interfaces because we don’t know what IP address Docker will assign to us.

network.host: search1-dc1-docker-local.${domain}

# minimum_master_nodes need to be explicitly set when bound on a public IP

# set to 1 to allow single node clusters

discovery.zen.minimum_master_nodes: 1

Setting network.host to a non-loopback address enables the annoying bootstrap checks. “Single-node” mode disables them again.

discovery.type: single-node

plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: false
plugins.security.allow_default_init_securityindex: true
plugins.security.nodes_dn:

  • ‘CN=*.${domain}t,O=company.,L=Vancouver,ST=British Columbia,C=CA’

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [“.plugins-ml-model-group”, “.plugins-ml-model”, “.plugins-ml-task”, “.opendistro-alerting-config”, “.opendistro-alerting-alert*”, “.opendistro-anomaly-results*”, “.opendistro-anomaly-detector*”, “.opendistro-anomaly-checkpoints”, “.opendistro-anomaly-detection-state”, “.opendistro-reports-", ".opensearch-notifications-”, “.opensearch-notebooks”, “.opensearch-observability”, “.ql-datasources”, “.opendistro-asynchronous-search-response*”, “.replication-metadata-store”, “.opensearch-knn-models”]
node.max_local_storage_nodes: 3

config.yml has not been edited

One part of the docs I am not sure about is the admin certificates. I am using a wildcard certificate for my nodes (that I have used for a while), but I am unsure how to get the admin certificate for this?

I was able to resolve this by appending my intermediate cert to the end of my root CA.

1 Like