Hi, I am facing an error while installing the S3 plugin. It's giving an error for the certificate chain while downloading the S3 zip because I have Zscaler installed on my laptop, and the certificate chain is breaking for HTTPS calls.
here is my docker-compose file
services:
elastic:
build: ./docker/elastic
ports:
- "9200:9200"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
environment:
discovery.type: "single-node"
xpack.security.enabled: "false"
ES_JAVA_OPTS: "-Xms512m -Xmx512m -Des.allow_insecure_settings=true"
s3.client.default.protocol: "http"
s3.client.default.endpoint: "10.0.128.2:9100"
networks:
- static-network
here is my docker file
FROM docker.elastic.co/elasticsearch/elasticsearch:7.10.0
RUN bin/elasticsearch-plugin install repository-s3 --batch
RUN bin/elasticsearch-keystore create
RUN echo easykey | elasticsearch-keystore add --stdin s3.client.default.access_key
RUN echo easysecret | elasticsearch-keystore add --stdin s3.client.default.secret_key
RUN elasticsearch-keystore list
here is the error
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
I tried to install the Zscaler certificate to the elastic image but could not run the command to update the certificate. The same command I am using for my other services that are internally calling HTTPS endpoint and was giving the certificate errors before and the error got resolved
here is my docker-compose file
services:
elastic:
build: ./docker/elastic
ports:
- "9200:9200"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
environment:
discovery.type: "single-node"
xpack.security.enabled: "false"
ES_JAVA_OPTS: "-Xms512m -Xmx512m -Des.allow_insecure_settings=true"
s3.client.default.protocol: "http"
s3.client.default.endpoint: "10.0.128.2:9100"
volumes:
- ~/.docker/zscaler-cert.cer:/usr/share/elasticsearch/config/certificates/zscaler-cert.cer
networks:
here is my docker file
FROM docker.elastic.co/elasticsearch/elasticsearch:7.10.0
## Update the CA certificates
USER root
RUN update-ca-certificates
RUN bin/elasticsearch-plugin install repository-s3 --batch
RUN bin/elasticsearch-keystore create
RUN echo easykey | elasticsearch-keystore add --stdin s3.client.default.access_key
RUN echo easysecret | elasticsearch-keystore add --stdin s3.client.default.secret_key
RUN elasticsearch-keystore list