Received fatal alert: certificate_unknown (letsencrypt, opensearch)

Hey,
Iam trying to configure opensearch using letsencrypt certificate. everything used to work normally but now i’am getting
Error:

[2024-05-21T13:33:19,375][WARN ][o.o.h.AbstractHttpServerTransport] [opensearch-cluster-master-0] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:43918}
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

Configuration:


  opensearch.yml: |
    cluster.name: opensearch-cluster

    # Bind to all interfaces because we don't know what IP address Docker will assign to us.
    network.host: 0.0.0.0

    # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
    # Implicitly done if ".singleNode" is set to "true".
    # discovery.type: single-node

    # Start OpenSearch Security Demo Configuration
    # WARNING: revise all the lines below before you go into production
    plugins:
      security:
        nodes_dn:
            - 'CN=opensearch.labadeiz.adeiz.eu'
        ssl:
          transport:
            pemcert_filepath: certs/tls.crt
            pemkey_filepath:  certs/tls.key
            pemtrustedcas_filepath: certs/tls.crt
            enforce_hostname_verification: false
          http:
            enabled: true
            pemcert_filepath: certs/tls.crt
            pemkey_filepath: certs/tls.key
            pemtrustedcas_filepath: certs/tls.crt
        allow_unsafe_democertificates: true
        allow_default_init_securityindex: true
        authcz:
          admin_dn:
            - 'CN=opensearch.labadeiz.adeiz.eu'
        audit.type: internal_opensearch
        enable_snapshot_restore_privilege: true
        check_snapshot_restore_write_privileges: true
        restapi:
          roles_enabled: ["all_access", "security_rest_api_access"]
        system_indices:
          enabled: true
          indices:
            [
              ".opendistro-alerting-config",
              ".opendistro-alerting-alert*",
              ".opendistro-anomaly-results*",
              ".opendistro-anomaly-detector*",
              ".opendistro-anomaly-checkpoints",
              ".opendistro-anomaly-detection-state",
              ".opendistro-reports-*",
              ".opendistro-notifications-*",
              ".opendistro-notebooks",
              ".opendistro-asynchronous-search-response*",
            ]
    ######## End OpenSearch Security Demo Configuration ########

extraEnvs: 
    - name: DISABLE_INSTALL_DEMO_CONFIG
      value: "true"


extraVolumes:  
   - name: opensearch-certs
     secret:
       secretName: tls-for-opensearch

   - name: opensearch-root-certs
     secret:
       secretName: root-ca

extraVolumeMounts:     
   - name: opensearch-certs
     mountPath: /usr/share/opensearch/config/certs
     readOnly: true

   - name: opensearch-root-certs
     mountPath: /usr/share/opensearch/config/root






securityConfig:
  enabled: true
  path: "/usr/share/opensearch/config/opensearch-security"
  actionGroupsSecret:
  configSecret:
  internalUsersSecret: internalusers-secret
  rolesSecret:
  rolesMappingSecret:
  tenantsSecret:

  config:
    securityConfigSecret: ""
    dataComplete: true
    data:  {}


ingress:
  enabled: false


@siradjeddine There CN for nodes and DN cannot be the same.

Also, how did you create the certificates?

Also I can see you are mapping root certificate with:

  • name: opensearch-root-certs
    secret:
    secretName: root-ca

But not using it in pemtrustedcas_filepath.

1 Like