OpenSearch icon indicating copy to clipboard operation
OpenSearch copied to clipboard

Published 20 hours ago • verified publisher icon opensearch-project

"unable to find valid certification path to requested target" [BUG]

Open Lmaquaire92 opened this issue 3 years ago • 1 comments

Hello

docker image : opensearchproject/opensearch:2.1.0

Description of the problem : i try to send email over TLS with differents settings:

1. with truststore plugins.security.ssl.transport.truststore_type: JKS plugins.security.ssl.transport.truststore_filepath: truststore.jks plugins.security.ssl.transport.truststore_password: ******

2. with pem file plugins.security.ssl.transport.pemtrustedcas_filepath: rootca.opensearch.crt

but both solution don't works, i have this behavious: [2022-09-14T14:53:57,828][INFO ][o.o.n.c.c.DestinationSmtpClient] [opensearch-node3] EmailException javax.mail.MessagingException: Could not convert socket to TLS; nested exception is: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [2022-09-14T14:53:57,829][INFO ][o.o.n.s.SendMessageActionHelper] [opensearch-node3] notifications:sendMessage:statusCode=424, statusText=sendEmail Error, status:Could not convert socket to TLS [2022-09-14T14:53:57,831][INFO ][o.o.n.s.SendMessageActionHelper] [opensearch-node3] notifications:qr1TO4MBvxi3IJ8cd6sJ:statusCode=424, statusText=sendEmail Error, status:Could not convert socket to TLS [2022-09-14T14:53:57,835][WARN ][o.o.n.a.PluginBaseAction ] [opensearch-node3] notifications:OpenSearchStatusException: org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"qx0nPIMBdfwF3IWSlyUN","config_type":"email","config_name":"test","email_recipient_status":[{"recipient":"[email protected]","delivery_status":{"status_code":"424","status_text":"sendEmail Error, status:Could not convert socket to TLS"}}],"delivery_status":{"status_code":"424","status_text":"sendEmail Error, status:Could not convert socket to TLS"}}]} at org.opensearch.notifications.send.SendMessageActionHelper.executeRequest(SendMessageActionHelper.kt:99) ~[?:?] at org.opensearch.notifications.send.SendMessageActionHelper$executeRequest$1.invokeSuspend(SendMessageActionHelper.kt) ~[?:?] at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33) [kotlin-stdlib-1.6.10.jar:1.6.10-release-923(1.6.10)] at kotlinx.coroutines.internal.ScopeCoroutine.afterResume(Scopes.kt:32) [kotlinx-coroutines-core-jvm-1.4.3.jar:?] at kotlinx.coroutines.AbstractCoroutine.resumeWith(AbstractCoroutine.kt:113) [kotlinx-coroutines-core-jvm-1.4.3.jar:?] at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:46) [kotlin-stdlib-1.6.10.jar:1.6.10-release-923(1.6.10)] at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106) [kotlinx-coroutines-core-jvm-1.4.3.jar:?] at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:571) [kotlinx-coroutines-core-jvm-1.4.3.jar:?] at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:750) [kotlinx-coroutines-core-jvm-1.4.3.jar:?] at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:678) [kotlinx-coroutines-core-jvm-1.4.3.jar:?] at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:665) [kotlinx-coroutines-core-jvm-1.4.3.jar:?] [2022-09-14T14:53:57,837][ERROR][o.o.n.a.SendTestNotificationAction] [opensearch-node3] notifications:SendTestNotificationAction-send Error:OpenSearchStatusException[{"event_status_list": [{"config_id":"qx0nPIMBdfwF3IWSlyUN","config_type":"email","config_name":"test","email_recipient_status":[{"recipient":"[email protected]","delivery_status":{"status_code":"424","status_text":"sendEmail Error, status:Could not convert socket to TLS"}}],"delivery_status":{"status_code":"424","status_text":"sendEmail Error, status:Could not convert socket to TLS"}}]}]

thanks for your help

Lmaquaire92 avatar Sep 14 '22 15:09 Lmaquaire92

Looks like the problem occurred during sending email using https://github.com/opensearch-project/notifications plugin.

Found one forum discussion around this problem, but there was no clear solution: https://forum.opensearch.org/t/using-email-for-alerting-but-getting-an-error/4177/5

It’s hard to tell for certain from just the log entry but it’s possible there is a configuration issue unrelated with Alerting that is preventing you from making the connection to the SMTP host. A couple possibilities I can think of:

  1. SSL certificate trust issue
  2. Application not supporting TLS version being used by SMTP host
    • Ex. application using TLSv1.1 and SMTP host is using TLSv1.2 without fallback
    • For Alerting 1.13.1.0 we’re using javax.mail:1.6.2 which supports TLSv1.2
  3. Anti-virus programs or firewall preventing you from connecting to SMTP port 529

tlfeng avatar Sep 19 '22 23:09 tlfeng

Hello,

thanks for your reply

here my workaround :

add pem files to cacerts during image's build:

WORKDIR /usr/share/opensearch/jdk/lib/security/ RUN keytool -import -trustcacerts -alias XXX -file XXX.pem -keystore cacerts -storepass changeit -noprompt RUN keytool -import -trustcacerts -alias XXX -file XXX.pem -keystore cacerts -storepass changeit -noprompt

Lmaquaire92 avatar Oct 04 '22 13:10 Lmaquaire92