Received fatal alert: certificate_unknown - cluster

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:
When trying to configure Opensearch with my own certificates I receive the following error in the logs: Received fatal alert: certificate_unknown

When using the certificates bundled with Opensearch everything works as expected.

Podman config:
/usr/bin/podman container run --cidfile=%t/%n.ctr-id --cgroups=no-conmon
–rm --sdnotify=conmon -d --replace
–name opensearch
–privileged=False --log-driver journald
–network host --pid host
-e “”
-e “”
-e “discovery.seed_hosts=search1-dc1-docker-local.${domain}”
-e “network.bind_host: [local, site]”
-e “cluster.initial_cluster_manager_nodes=search1-dc1-docker-local”
-v /tmp/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
-v /tmp/esnode.pem:/usr/share/opensearch/config/esnode.pem
-v /tmp/esnode-key.pem:/usr/share/opensearch/config/esnode-key.pem
-v /tmp/root-ca.pem:/usr/share/opensearch/config/root-ca.pem

opensearch.yml foo

Bind to all interfaces because we don’t know what IP address Docker will assign to us. search1-dc1-docker-local.${domain}

# minimum_master_nodes need to be explicitly set when bound on a public IP

# set to 1 to allow single node clusters

discovery.zen.minimum_master_nodes: 1

Setting to a non-loopback address enables the annoying bootstrap checks. “Single-node” mode disables them again.

discovery.type: single-node esnode.pem esnode-key.pem root-ca.pem false true esnode.pem esnode-key.pem root-ca.pem false true

  • ‘CN=*.${domain}t,O=company.,L=Vancouver,ST=British Columbia,C=CA’ internal_opensearch true true [“all_access”, “security_rest_api_access”] true [“.plugins-ml-model-group”, “.plugins-ml-model”, “.plugins-ml-task”, “.opendistro-alerting-config”, “.opendistro-alerting-alert*”, “.opendistro-anomaly-results*”, “.opendistro-anomaly-detector*”, “.opendistro-anomaly-checkpoints”, “.opendistro-anomaly-detection-state”, “.opendistro-reports-", ".opensearch-notifications-”, “.opensearch-notebooks”, “.opensearch-observability”, “.ql-datasources”, “.opendistro-asynchronous-search-response*”, “.replication-metadata-store”, “.opensearch-knn-models”]
node.max_local_storage_nodes: 3

config.yml has not been edited

One part of the docs I am not sure about is the admin certificates. I am using a wildcard certificate for my nodes (that I have used for a while), but I am unsure how to get the admin certificate for this?

I was able to resolve this by appending my intermediate cert to the end of my root CA.

1 Like