Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Received fatal alert: certificate_unknown #544

Open
sfisli opened this issue May 21, 2024 · 1 comment
Open

[BUG] Received fatal alert: certificate_unknown #544

sfisli opened this issue May 21, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@sfisli
Copy link

sfisli commented May 21, 2024

Describe the bug

Hello,
I am configuring opensearch to use letsencrypt certificate, everything was working fine but today i did helm delete/install, and i got that issue:
[2024-05-21T10:08:17,407][WARN ][o.o.h.AbstractHttpServerTransport] [opensearch-cluster-master-0] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:34368} io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

configurations:

``
opensearch.yml: |
    cluster.name: opensearch-cluster

    # Bind to all interfaces because we don't know what IP address Docker will assign to us.
    network.host: 0.0.0.0

    # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
    # Implicitly done if ".singleNode" is set to "true".
    # discovery.type: single-node

    # Start OpenSearch Security Demo Configuration
    # WARNING: revise all the lines below before you go into production
    plugins:
      security:
        nodes_dn:
            - 'CN=opensearch.lab.mycompany.eu'
        ssl:
          transport:
            pemcert_filepath: certs/tls.crt
            pemkey_filepath:  certs/tls.key
            pemtrustedcas_filepath: certs/tls.crt
            enforce_hostname_verification: false
          http:
            enabled: true
            pemcert_filepath: certs/tls.crt
            pemkey_filepath: certs/tls.key
            pemtrustedcas_filepath: certs/tls.crt
        allow_unsafe_democertificates: true
        allow_default_init_securityindex: true
        authcz:
          admin_dn:
            - 'CN=opensearch.lab.mycompany.eu'
        audit.type: internal_opensearch
        enable_snapshot_restore_privilege: true
        check_snapshot_restore_write_privileges: true
        restapi:
          roles_enabled: ["all_access", "security_rest_api_access"]
        system_indices:
          enabled: true
          indices:
            [
              ".opendistro-alerting-config",
              ".opendistro-alerting-alert*",
              ".opendistro-anomaly-results*",
              ".opendistro-anomaly-detector*",
              ".opendistro-anomaly-checkpoints",
              ".opendistro-anomaly-detection-state",
              ".opendistro-reports-*",
              ".opendistro-notifications-*",
              ".opendistro-notebooks",
              ".opendistro-asynchronous-search-response*",
            ]
    ######## End OpenSearch Security Demo Configuration ########
 extraEnvs: 
    - name: DISABLE_INSTALL_DEMO_CONFIG
      value: "true"
      
 extraVolumes:  
   - name: opensearch-certs
     secret:
       secretName: tls-for-opensearch

   - name: opensearch-root-certs
     secret:
       secretName: root-ca

extraVolumeMounts:     
   - name: opensearch-certs
     mountPath: /usr/share/opensearch/config/certs
     readOnly: true

   - name: opensearch-root-certs
     mountPath: /usr/share/opensearch/config/root
     
  securityConfig:
     enabled: true
     internalUsersSecret: internalusers-secret

    `

Related component

Plugins

Expected behavior

Opensearch up with letsencrypt certificate

@sfisli sfisli added bug Something isn't working untriaged Issues that have not yet been triaged labels May 21, 2024
@dblock dblock transferred this issue from opensearch-project/OpenSearch May 21, 2024
@gaiksaya gaiksaya transferred this issue from opensearch-project/opensearch-devops May 21, 2024
@gaiksaya
Copy link
Member

Hi @sfisli,

Did you go through the forum posts for related failure queries?
https://forum.opensearch.org/search?q=Received%20fatal%20alert%3A%20certificate_unknown%20order%3Alatest

@gaiksaya gaiksaya removed the untriaged Issues that have not yet been triaged label May 21, 2024
@getsaurabh02 getsaurabh02 moved this from 🆕 New to Later (6 months plus) in Engineering Effectiveness Board Jul 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: Backlog
Development

No branches or pull requests

2 participants