3

The problem is that the OpenID Connect URL I'm trying to reach uses self-signed certs. The plugin securityDashboards doesn't seem to like that:

Error: unable to verify the first certificate\ n at TLSSocket.onConnectSecure(_tls_wrap.js: 1088: 34)\ n at TLSSocket.emit(events.js: 198: 13)\ n at TLSSocket._finishInit(_tls_wrap.js: 666: 8)\ n code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' ... Client request error: unable to verify the first certificate

  • Since this seems to be a JavaScript error, my first approach was to point npm to the same keystore which also curl uses and which has no problem with the URL. Via npm config set cafile /etc/ssl/certs/ca-certificates.crt
  • After that didn't work I tried to disable the SSL verification altogether just to see if it works. Via npm config set strict-ssl false
  • That failed so I read the docs about certificate validation, tried to set up pemtrustedcas_filepath with the keystore above... didn't work.
  • Then tried to download the cert and use pemtrustedcas_content, but that didn't work either.

Out of options. Thanks for any suggestion!

ss1
  • 1,009
  • 15
  • 32
  • Hi, did you find a solution for this issue? if yes, you can add that as an answer to your question. – aditya_sharma Nov 24 '22 at 17:35
  • @aditya_sharma No, we ended up using an official cert with a hack. But looking back the solution is probably to use the Node binaries inside `/opensearch-dashboards-2.4.0/node/`. Looks like Dashboards uses its own Node version instead of the one installed on the system. No idea how to configure that. – ss1 Nov 25 '22 at 10:03

1 Answers1

1

Setting opensearch_security.openid.root_ca: /etc/ssl/certs/ca-certificates.crt in opensearch_dashboards.yml worked for me.

domruf
  • 1,453
  • 2
  • 11
  • 20