search

opensearch-project / helm-charts

:wheel_of_dharma: A community repository for Helm Charts of OpenSearch Project.
https://opensearch.org/docs/latest/opensearch/install/helm/
Apache License 2.0
171 stars 234 forks source link

[BUG] Received fatal alert: certificate_unknown #544

Open sfisli opened 5 months ago

sfisli commented 5 months ago

Describe the bug

Hello, I am configuring opensearch to use letsencrypt certificate, everything was working fine but today i did helm delete/install, and i got that issue: [2024-05-21T10:08:17,407][WARN ][o.o.h.AbstractHttpServerTransport] [opensearch-cluster-master-0] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:34368} io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

configurations: 

``
opensearch.yml: |
    cluster.name: opensearch-cluster

    # Bind to all interfaces because we don't know what IP address Docker will assign to us.
    network.host: 0.0.0.0

    # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
    # Implicitly done if ".singleNode" is set to "true".
    # discovery.type: single-node

    # Start OpenSearch Security Demo Configuration
    # WARNING: revise all the lines below before you go into production
    plugins:
      security:
        nodes_dn:
            - 'CN=opensearch.lab.mycompany.eu'
        ssl:
          transport:
            pemcert_filepath: certs/tls.crt
            pemkey_filepath:  certs/tls.key
            pemtrustedcas_filepath: certs/tls.crt
            enforce_hostname_verification: false
          http:
            enabled: true
            pemcert_filepath: certs/tls.crt
            pemkey_filepath: certs/tls.key
            pemtrustedcas_filepath: certs/tls.crt
        allow_unsafe_democertificates: true
        allow_default_init_securityindex: true
        authcz:
          admin_dn:
            - 'CN=opensearch.lab.mycompany.eu'
        audit.type: internal_opensearch
        enable_snapshot_restore_privilege: true
        check_snapshot_restore_write_privileges: true
        restapi:
          roles_enabled: ["all_access", "security_rest_api_access"]
        system_indices:
          enabled: true
          indices:
            [
              ".opendistro-alerting-config",
              ".opendistro-alerting-alert*",
              ".opendistro-anomaly-results*",
              ".opendistro-anomaly-detector*",
              ".opendistro-anomaly-checkpoints",
              ".opendistro-anomaly-detection-state",
              ".opendistro-reports-*",
              ".opendistro-notifications-*",
              ".opendistro-notebooks",
              ".opendistro-asynchronous-search-response*",
            ]
    ######## End OpenSearch Security Demo Configuration ########
 extraEnvs: 
    - name: DISABLE_INSTALL_DEMO_CONFIG
      value: "true"

 extraVolumes:  
   - name: opensearch-certs
     secret:
       secretName: tls-for-opensearch

   - name: opensearch-root-certs
     secret:
       secretName: root-ca

extraVolumeMounts:     
   - name: opensearch-certs
     mountPath: /usr/share/opensearch/config/certs
     readOnly: true

   - name: opensearch-root-certs
     mountPath: /usr/share/opensearch/config/root

  securityConfig:
     enabled: true
     internalUsersSecret: internalusers-secret

    `

Related component

Plugins

Expected behavior

Opensearch up with letsencrypt certificate

gaiksaya commented 5 months ago

Hi @sfisli,

Did you go through the forum posts for related failure queries? https://forum.opensearch.org/search?q=Received%20fatal%20alert%3A%20certificate_unknown%20order%3Alatest