Solving SSL Configuration Issues in Opensearch Deployment - Proactive Insights and Support For Open-Source Applications

Problem:

Our customer, using Opensearch (1 node) with SSL in their production environment, faced challenges while implementing a new node to ensure high availability. When individually pointing our application (Actone) to the new node, indexing and searching worked as expected. However, integrating both nodes simultaneously resulted in a –

javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

error on the Opensearch side. This issue persisted despite implementing updated YML configuration files.

Process:

Investigation: Upon receiving customer feedback and examining YML files and logs from both nodes (smbcna and smbcbr), our team analyzed the SSL configuration discrepancies causing the handshake failure.

Identifying Issues: The analysis revealed several misconfigurations:

Uncommenting

node.master: true in Node_1_opensearch.yml.

Ensuring discovery.seed_hosts consistency across both nodes.

Correcting SSL setting paths to be relative in Node_2_opensearch.yml:

plugins.security.ssl.transport.keystore_filepath: /opt/actimize/opensearch/server.jks.keystore -> plugins.security.ssl.transport.keystore_filepath: server.jks.keystore

plugins.security.ssl.transport.truststore_filepath: /opt/actimize/opensearch/server.jks.truststore -> plugins.security.ssl.transport.truststore_filepath: server.jks.truststore

plugins.security.ssl.http.keystore_filepath: /opt/actimize/opensearch/server.jks.keystore -> plugins.security.ssl.http.keystore_filepath: server.jks.keystore

plugins.security.ssl.http.truststore_filepath: /opt/actimize/opensearch/server.jks.truststore -> plugins.security.ssl.http.truststore_filepath: server.jks.truststore

Adjusting keystore and truststore file paths to remove full paths and avoid white spaces in DN configurations lines 106, 177:

CN=kirk,OU=client,O=client,L=test, C=de -> CN=kirk,OU=client,O=client,L=test,C=de

Solution:

Configuration Fixes: Updated the YML files to resolve misconfigurations identified:

- - Uncommented node.master: true and aligned discovery.seed_hosts across configurations.
  - Adjusted SSL settings to use relative paths and corrected keystore/truststore file paths.
  - Ensured DN configurations had no white spaces, following best practices for SSL configuration.

Implementation: After making the necessary changes, our expert shared cleaned-up configuration files with the client for deployment.

Conclusion:

By addressing the identified SSL configuration issues and implementing corrective measures in the Opensearch deployment, our team successfully resolved the SSLHandshakeException error. The updated configurations ensured seamless integration of the new node while maintaining secure communication across the cluster. This case underscores the importance of meticulous configuration management and proactive troubleshooting in maintaining robust and secure production environments.