Not able to RUN update-ca-certificates

Pankaj_Agarwal · October 10, 2024, 6:48am

Hi, I am facing an error while installing the S3 plugin. It's giving an error for the certificate chain while downloading the S3 zip because I have Zscaler installed on my laptop, and the certificate chain is breaking for HTTPS calls.

here is my docker-compose file

services:
  elastic:
    build: ./docker/elastic
    ports:
      - "9200:9200"    
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    environment:
      discovery.type: "single-node"
      xpack.security.enabled: "false"
      ES_JAVA_OPTS: "-Xms512m -Xmx512m -Des.allow_insecure_settings=true"
      s3.client.default.protocol: "http"
      s3.client.default.endpoint: "10.0.128.2:9100"
    networks:
	- static-network

here is my docker file

FROM docker.elastic.co/elasticsearch/elasticsearch:7.10.0
RUN bin/elasticsearch-plugin install repository-s3 --batch 
RUN bin/elasticsearch-keystore create 
RUN echo easykey | elasticsearch-keystore add --stdin s3.client.default.access_key
RUN echo easysecret | elasticsearch-keystore add --stdin s3.client.default.secret_key
RUN elasticsearch-keystore list

here is the error

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
	at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
	at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)

I tried to install the Zscaler certificate to the elastic image but could not run the command to update the certificate. The same command I am using for my other services that are internally calling HTTPS endpoint and was giving the certificate errors before and the error got resolved

here is my docker-compose file

services:
  elastic:
    build: ./docker/elastic
    ports:
      - "9200:9200"    
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    environment:
      discovery.type: "single-node"
      xpack.security.enabled: "false"
      ES_JAVA_OPTS: "-Xms512m -Xmx512m -Des.allow_insecure_settings=true"
      s3.client.default.protocol: "http"
      s3.client.default.endpoint: "10.0.128.2:9100"
    volumes:
      - ~/.docker/zscaler-cert.cer:/usr/share/elasticsearch/config/certificates/zscaler-cert.cer
    networks:

here is my docker file

FROM docker.elastic.co/elasticsearch/elasticsearch:7.10.0

## Update the CA certificates
USER root
RUN update-ca-certificates

RUN bin/elasticsearch-plugin install repository-s3 --batch 
RUN bin/elasticsearch-keystore create 
RUN echo easykey | elasticsearch-keystore add --stdin s3.client.default.access_key
RUN echo easysecret | elasticsearch-keystore add --stdin s3.client.default.secret_key
RUN elasticsearch-keystore list

nfeekery · October 15, 2024, 3:07pm

From Elastic Search to Elasticsearch

Pankaj_Agarwal · October 19, 2024, 11:05am

Team, Any update on this