Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch 2.19.1 / Plug-in repository-S3 2.19.1
Describe the issue:
When I use an S3 with a public CA, the snapshot works fine. When I use an S3 endpoint with a custom CA. The snapshot activity don’work.
What is the problem ? Anyone can help me ?
Configuration:
keytool -importcert -trustcacerts -alias listca -file /usr/share/opensearch/config/root-ca/ca-certificates.crt -keystore
Command env in the pod :
OPENSEARCH_JAVA_OPTS=-Dopensearch.allow_insecure_settings=true - Djavax.net .ssl.trustStore=/usr/share/opensearch/config/opensearch.jks - Djavax.net .ssl.trustStorePassword=changeit -Dopensearch.transport.cname_in_publish_address=true
I put the : /usr/share/opensearch/bin/opensearch-keystore add --stdin s3.client.default.access_key" & "/usr/share/opensearch/bin/opensearch-keystore add --stdin s3.client.default.secret_key
Relevant Logs or Screenshots:
curl -s $opt_cert -u "$OPENSEARCH_LOGIN_ADMIN:$OPENSEARCH_PASSWORD_ADMIN" -X PUT " https://opensearch-coordinators.opensearch.svc.cluster.local:9200/_snapshot/global " -H "Content-Type: application/json" -d '{ "type": "s3", "settings": {"bucket": "'$OPENSEARCH_BACKUP_BUCKET'","region": "default", "base_path": "'$BUCKET_PATH'", "endpoint": "'$OPENSEARCH_BACKUP_BUCKET_ENDPOINT'", "access_key": "'$OPENSEARCH_BACKUP_BUCKET_KEY'", "secret_key": "'$OPENSEARCH_BACKUP_BUCKET_SECRET'", "disable_ssl_verification": "true", "path_style_access": "true"}} '. The result is : {"error":{"root_cause":[{"type":"repository_verification_exception","reason":"[global] path [global/global_25-05-27_182107] is not accessible on cluster-manager node"}],"type":"repository_verification_exception","reason":"[global] path [global/global_25-05-27_182107] is not accessible on cluster-manager node","caused_by":{"type":"i_o_exception","reason":"Unable to upload object [global/global_25-05-27_182107/tests-4K2nU3mxQMOLHPUkAR6iMg/master.dat] using a single upload","caused_by":{"type":"sdk_client_exception","reason":"sdk_client_exception: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target","caused_by":{"type":"i_o_exception","reason":"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target","caused_by":{"type":"validator_exception","reason":"validator_exception: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target","caused_by":{"type
":"sun_cert_path_builder_exception","reason":"sun_cert_path_builder_exception: unable to find valid certification path to requested target"}}},"suppressed":[{"type":"sdk_client_exception","reason":"sdk_client_exception: Request attempt 1 failure: Unable to execute HTTP request: PKIX path bu
ilding failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"},{"type":"sdk_client_exception","reason":"sdk_client_exception: Request attempt 2 failure: Unable to execute HTTP request: PKIX path building failed: sun.s
ecurity.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"},{"type":"sdk_client_exception","reason":"sdk_client_exception: Request attempt 3 failure: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}]}}},"status":500}