S3 Repository plugin PKIX failed

Hi all,

I have 1 cluster (Ubuntu 18.04) with 3 ES 7.4.2 nodes with Offline install 7.4.2 S3 Repository plugin.

I installed plugin than I did restart of every node.

I added keys on every node and did restart

bin/elasticsearch-keystore add s3.client.default.access_key
bin/elasticsearch-keystore add s3.client.default.secret_key

I tried to add repo

PUT /_snapshot/s4
{
  "type": "s3",
  "settings": {
    "bucket": "elk-dev",
    "endpoint": "mys3.host.com",        
    "protocol": "https"
  }
}

I am getting

{"error":{"root_cause":[{"type":"repository_verification_exception","reason":"[s4] path is not accessible on master node"}],"type":"repository_verification_exception","reason":"[s4] path is not accessible on master node","caused_by":{"type":"i_o_exception","reason":"Unable to upload object [tests-4RwL-Ps0T2SDfhj2i3v_Vg/master.dat] using a single upload","caused_by":{"type":"sdk_client_exception","reason":"Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target","caused_by":{"type":"s_s_l_handshake_exception","reason":"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target","caused_by":{"type":"validator_exception","reason":"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target","caused_by":{"type":"sun_cert_path_builder_exception","reason":"unable to find valid certification path to requested target"}}}}}},"status":500}

I can connect from that server with mc to my S3 server without any problem.

I also tried SSLPoke and it worked.

I have Suse Linux 12, ES 6.5.4 cluster and S3 plugin is working fine.

I have no idea what could be wrong with 7.4.2 and Ubuntu..

Thanks for any help.

Issue has been resolved

openssl s_client -connect mys3.host.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

/usr/share/elasticsearch/jdk/bin/keytool -import -alias mys3host.com -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -file public.crt

Than it asked me for password, password is changeit

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.