Webhook Error: "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Opensearch Dashboard 2.17.0
Opensearch 2.17…0

Describe the issue:

When attempting to create a custom notification channel utilizing webooks, I keep getting:

Failed to send webhook message PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Configuration:

Relevant fullchain certificate “full-chain.pem” for the intended target is located in the /etc/opensearch-dashboards directory.

The config is, in relevant part:

# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your OpenSearch instance.
opensearch.ssl.certificateAuthorities: 
  - /etc/opensearch-dashboards/full_chain.pem

It is my understanding that this should tell Openseach Dashboards to trust the full_chain.pem as a valid root_ca for communicating with the target server. However, the error found above implicitly hints at Opensearch Dash looking for trusted certs in Java.

Any suggestions on what do ?

@04_996_C2 This option is used to trust the communication between OpenSearch Dashboards and OpenSearch ndoes. It is not used for any other TLS communication.

The Alerting Monitor doesn’t have the option to trust all certs or ignore cert verification. You’ll need to add this Webhook certificate or it’s rootCA to the Java keystore.

This has been already reported in GitHub. Check if the workaround provided in the issue solves your problem.

1 Like

Thank you @pablo; I have OS-Dash running on a server seperate from my Opensearch nodes. Would I utilize the Opensearch JDK keystore or create one on the OS-Dash server?

@04_996_C2 This must be on the OpenSearch side.

1 Like

Okay, thank you. Last question (for now). My setup is 3 management nodes with 4 data nodes. I need only add the cert to 1 data node or all nodes?

For those that don’t know, its all nodes and all nodes must be restarted

@04_996_C2 I’m not 100% sure as documentation doesn’t specify that. Definitely start with all data nodes and then try management nodes if that won’t fix the problem. You can follow OpenSearch logs to find which node executes the alert.

Just as an FYI, I added to all nodes, restarted them, and now everything is working as intended. Thank you @pablo!

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.