How-to Trust internal CA through Operator ?

Question

How-to Trust internal CA through Operator ?

piellick opened this issue 6 months ago · 1 comments

Hi team,
When using internal services with TLS authentication, we are facing problems with integrating of our root certificate. What would be the best solution?

1st case where this is a problem, using an internal smtp with TLS for email notifications on Opensearch Dashboard:

EmailException javax.mail.MessagingException: Could not convert socket to TLS;                                                             │
│   nested exception is:                                                                                                                                                                                                                     │
│     javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

We tried the use general.keystore with our CA Cert inside a secret without conclusive result:

 general:
    # ...
    keystore:
    - secret:
        name: internal-root-ca
      keyMappings:
        ca.crt: ca.crt

Using initContainer would be the solution?

Thanks a lot

Answer 1 · 2024-06-20T02:12:25.000Z

[Triage]
Hey @piellick if I'm not wrong you trying to connect to an smtp server through dashboards pod and you end up this PKIX error? If so you can try add the root CA cert, by the way did you try with keytool manually inside the pod to update the cacerts?
https://docs.microfocus.com/SM/9.41/Classic/Content/security/tasks/update_the_cacerts_keystore_file.htm