Securityadmin.sh unable to find valid certification path to requested target error

DanilaCigan · October 26, 2023, 11:59am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

2.8.0

Describe the issue:
Hello,when i’m trying to execute securityadmin.sh with command

./securityadmin.sh -f /home/user/Documents/opensearch-2.8.0/config/opensearch-security/config.yml -icl -nhnv -cert /home/user/Documents/opensearch-2.8.0/config/admin.pem -cacert  /home/user/Documents/opensearch-2.8.0/config/root-ca.pem -key /home/user/Documents/opensearch-2.8.0/config/admin-key.pem -t config

i ger the following error

ERR: An unexpected SSLHandshakeException occured: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
See https://opensearch.org/docs/latest/clients/java-rest-high-level/ for troubleshooting.
Trace:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
See https://opensearch.org/docs/latest/clients/java-rest-high-level/ for troubleshooting.
	at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:947)
	at org.opensearch.client.RestClient.performRequest(RestClient.java:332)
	at org.opensearch.client.RestClient.performRequest(RestClient.java:320)
	at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:465)

Certificates were generated with following command:

openssl genrsa -out root-ca-key.pem 2048
openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=ROOT" -out root-ca.pem -days 730
# Admin cert
openssl genrsa -out admin-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
openssl req -new -key admin-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=ADMIN" -out admin.csr
openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730
# Node cert 1
openssl genrsa -out node1-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1-key.pem
openssl req -new -key node1-key.pem -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=node1.example.com" -out node1.csr
openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730

Configuration:
opensearch.yml

plugins.security.disabled: false
plugins.security.ssl.transport.pemcert_filepath: /home/user/Documents/opensearch-2.8.0/config/node1.pem
plugins.security.ssl.transport.pemkey_filepath: /home/user/Documents/opensearch-2.8.0/config/node1-key.pem
plugins.security.ssl.transport.pemkey_password: altar123
plugins.security.ssl.transport.pemtrustedcas_filepath: /home/user/Documents/opensearch-2.8.0/config/root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /home/user/Documents/opensearch-2.8.0/config/node1.pem
plugins.security.ssl.http.pemkey_filepath: /home/user/Documents/opensearch-2.8.0/config/node1-key.pem

plugins.security.ssl.http.pemtrustedcas_filepath: /home/user/Documents/opensearch-2.8.0/config/root-ca.pem
plugins.security.authcz.admin_dn:
  - 'CN=ADMIN,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
plugins.security.nodes_dn:
  - 'CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
  - 'CN=node2.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'

config.yml

      jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: "usuxqaUmbbe0VqN+Q90KCk5sXHCfEVookMRyEXAMPLE="
            jwt_header: "Authorization"
            jwt_url_parameter: null
            jwt_clock_skew_tolerance_seconds: 30
            roles_key: roles
            subject_key: null
        authentication_backend:
          type: noop
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates"
        http_enabled: false
        transport_enabled: false
        order: 2
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn #optional, if omitted DN becomes username
          challenge: false
        authentication_backend:
          type: noop

Eugene7 · October 27, 2023, 10:49am

Hi!

Have you read the topic below?

DanilaCigan · November 1, 2023, 2:23pm

Docker was the reason of my problems; i didn’t add certificates to the docker trusted certs…

Topic		Replies	Views
Error while executing securityadmin.sh in OS 1.2.4 Security security-issue	19	794	October 26, 2023
ERR: An unexpected SSLHandshakeException occured: PKIX path building failed: Security	9	2182	April 10, 2023
Opensearch security plugin enable error with securityadmin.sh Security	21	907	February 9, 2024
Opensearch security plugin with certificate chain Security	10	1616	June 12, 2024
Securityadmin.sh not working due to admin certificate issue Security	4	36	November 5, 2024

Securityadmin.sh unable to find valid certification path to requested target error

Related topics