[bug] Data node does not start up successfully after importing custom CA. #19759

mako42 · 2024-06-27T06:22:15Z

This is the bug Dan experienced and reported in Slack.

Dan used his own windows CA. He had no issues importing it, but afterwards the data node does not start successfully.

Expected Behavior

Current Behavior

The data node does not start successfully after the CA import, instead it throws errors:

Index cds_4 migration failed after 0 seconds: GetTaskResponse[completed=true, task=Task[node=jMDF5RCbRSKzHnzcv4i1eA, id=8234, type=transport, action=indices:data/write/reindex, status=TaskStatus[total=0, updated=0, created=0, deleted=0, batches=0, versionConflicts=0, noops=0, failures=null], description=reindex from [scheme=https host=glos01.eclipsenetwork.org port=9200 pathPrefix=/ query={ "match_all" : { "boost" : 1.0 } } username=elastic password=<<>>][cds_4] to [cds_4], startTimeInMillis=1719421000765, runningTimeInNanos=350832478, cancellable=true, cancelled=false, headers={X-Opaque-Id=667c47ce66e1a566a1b983a9}], error=type='s_s_l_handshake_exception', reason='PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target', causedBy='{type=validator_exception, reason=PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, caused_by={type=sun_cert_path_builder_exception, reason=unable to find valid certification path to requested target}}'].

Seems like the certificate is the culprit, there's a certificate_unknown in its output:

2024-06-26T18:02:25.450Z INFO [OpensearchProcessImpl] [2024-06-26T18:02:25,448][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [gldn03.lab.eclipsenetwork.org] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown 2024-06-26T18:02:25.450Z INFO [OpensearchProcessImpl] javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown 2024-06-26T18:02:25.450Z INFO [OpensearchProcessImpl] at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130) ~[?:?] 2024-06-26T18:02:25.450Z INFO [OpensearchProcessImpl] at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?] 2024-06-26T18:02:25.450Z INFO [OpensearchProcessImpl] at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:365) ~[?:?] 2024-06-26T18:02:25.450Z INFO [OpensearchProcessImpl] at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:287) ~[?:?] 2024-06-26T18:02:25.451Z INFO [OpensearchProcessImpl] at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:204) ~[?:?] 2024-06-26T18:02:25.451Z INFO [OpensearchProcessImpl] at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?] 2024-06-26T18:02:25.451Z INFO [OpensearchProcessImpl] at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:736) ~[?:?] 2024-06-26T18:02:25.451Z INFO [OpensearchProcessImpl] at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:691) ~[?:?] 2024-06-26T18:02:25.451Z INFO [OpensearchProcessImpl] at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506) ~[?:?] 2024-06-26T18:02:25.451Z INFO [OpensearchProcessImpl] at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482) ~[?:?] 2024-06-26T18:02:25.451Z INFO [OpensearchProcessImpl] at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679) ~[?:?] 2024-06-26T18:02:25.451Z INFO [OpensearchProcessImpl] at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:310) ~[netty-handler-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.452Z INFO [OpensearchProcessImpl] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1445) ~[netty-handler-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.452Z INFO [OpensearchProcessImpl] at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1338) ~[netty-handler-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.452Z INFO [OpensearchProcessImpl] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1387) ~[netty-handler-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.452Z INFO [OpensearchProcessImpl] at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529) ~[netty-codec-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.452Z INFO [OpensearchProcessImpl] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468) ~[netty-codec-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.452Z INFO [OpensearchProcessImpl] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[netty-codec-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.452Z INFO [OpensearchProcessImpl] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) [netty-transport-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.452Z INFO [OpensearchProcessImpl] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.453Z INFO [OpensearchProcessImpl] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [netty-transport-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.453Z INFO [OpensearchProcessImpl] at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [netty-transport-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.453Z INFO [OpensearchProcessImpl] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) [netty-transport-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.453Z INFO [OpensearchProcessImpl] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.453Z INFO [OpensearchProcessImpl] at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [netty-transport-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.453Z INFO [OpensearchProcessImpl] at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) [netty-transport-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.453Z INFO [OpensearchProcessImpl] at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) [netty-transport-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.453Z INFO [OpensearchProcessImpl] at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:689) [netty-transport-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.453Z INFO [OpensearchProcessImpl] at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:652) [netty-transport-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.453Z INFO [OpensearchProcessImpl] at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) [netty-transport-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.454Z INFO [OpensearchProcessImpl] at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) [netty-common-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.454Z INFO [OpensearchProcessImpl] at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.106.Final.jar:4.1.106.Final] 2024-06-26T18:02:25.454Z INFO [OpensearchProcessImpl] at java.base/java.lang.Thread.run(Thread.java:1583) [?:?] 2024-06-26T18:02:25.454Z INFO [OpensearchProcessImpl] [2024-06-26T18:02:25,450][WARN ][o.o.h.AbstractHttpServerTransport] [gldn03.lab.eclipsenetwork.org] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/192.168.99.92:9200, remoteAddress=/192.168.1.231:40352}

Possible Solution

Steps to Reproduce (for bugs)

Start migration (remote reindexing)
Upload own CA
Data node won't start up successfully.

Context

Migration testing.

Your Environment

Graylog Version: 6.1 alpha 3
Java Version:
OpenSearch Version:
MongoDB Version:
Operating System:
Browser version:

The text was updated successfully, but these errors were encountered:

mako42 · 2024-06-27T06:30:49Z

Linking @mcdowellster: for any questions and missing info, ask him and not me :D

mako42 added the bug label Jun 27, 2024

todvora self-assigned this Jun 27, 2024

todvora linked a pull request Jun 28, 2024 that will close this issue

Support for untrusted CAs in datanode remote reindex migration #19775

Open

9 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[bug] Data node does not start up successfully after importing custom CA. #19759

[bug] Data node does not start up successfully after importing custom CA. #19759

mako42 commented Jun 27, 2024 •

edited

Loading

mako42 commented Jun 27, 2024

[bug] Data node does not start up successfully after importing custom CA. #19759

[bug] Data node does not start up successfully after importing custom CA. #19759

Comments

mako42 commented Jun 27, 2024 • edited Loading

Expected Behavior

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

Context

Your Environment

mako42 commented Jun 27, 2024

mako42 commented Jun 27, 2024 •

edited

Loading