Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 2.15
Describe the issue:
Hello. Opensearch 2.15 3-node docker cluster. I want to send an email notification using smtp server with self-signed certificate (corporate CA). I created smtp sender, SSL/TLS, port 587. Added credentials
/usr/share/opensearch/bin/opensearch-keystore add opensearch.notifications.core.email.corpsmtp.username (same with .password).
Got an error with SSL/TLS handshake. Added corp ca.crt and intermediate_ca.crt to keystore
keytool -import -noprompt -trustcacerts -alias rwl_ca -file ca.crt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit (same for intermediate_ca.crt). All these steps performed on all 3 nodes. The stop containers, start. Getting 503 error:
{“status_code”:“503”,“status_text”:“sendEmail Error, status:Couldn’t connect to host, port: smtp.rwlk.cz, 587; timeout -1”}}],“delivery_status”:{“status_code”:“503”,“status_text”:“sendEmail Error, status:Couldn’t connect to host, port: smtp.rwlk.cz, 587; timeout -1”}}]}
For test purposes, I activated unsecured smtp on 25 port (though, auth required anyway). The same error.
Also, I am able to send notification emails using public smtp servers, no problems. Also, from the server opensearch is running on I am able to send emails with my corporate smtp without problems just using simple python script with smtplib. I disable hostname check context.check_hostname = False and disable validation with context.verify_mode = ssl.CERT_NONE.
Questions:
- Why I am getting 503 even after I added custom ca and intermediate ca to keystore? Any specific way to do this?
- Is there a way to disable smtp ssl certificate validation for such a cases when we intend to use self-signed ca?
- Why it doesn’t work and I am getting error even when I configured sender as non-encrypted with port 25?
Thank you
Configuration:
Relevant Logs or Screenshots: