What CA is used by notifications channels?

SOLVED

Solved the issue after a good deal of trial and error.

The notification channels outgoing httpclient uses the Java Runtime trust store, and NOT the opensearch truststore for verifying connections.

This is important, as it means you will have to trust your CA with Javas cacerts truststore as well.

This can be done by:

  • Access your container as root, in order to have sufficient privileges: docker exec -u root -it opensearch_container_name bash

  • Read your existing truststore and verify if you already have trust with the CA you’re expecting: keytool -list -keystore "$JAVA_HOME/lib/security/cacerts"

  • Ensure that you have mapped in the CA you wish to add to your list of trusted CA’s.

  • Mapping in the new CA you wish to trust (i use the FQDN as alias here, but you do what makes sense. It has to be unique): keytool -import -noprompt -trustcacerts -alias some_alias -file /usr/share/opensearch/some-new-ca.crt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit Here you must use the password for the truststore. Normally it is “changeit”.

  • Finally, verify that the CA has been added: keytool -keystore "$JAVA_HOME/lib/security/cacerts" -storepass changeit -list | grep some_alias

  • Your mileage might vary, and maybe there is a better way, but for me it required a restart of the container to take.

3 Likes