Skip to content

Commit 7b60bd0

Browse files
siegfriedwebersiegfriedweber
authored
doc: Add troubleshooting guide (#42)
1 parent 4493cc9 commit 7b60bd0

File tree

2 files changed

+39
-0
lines changed

2 files changed

+39
-0
lines changed

docs/modules/opensearch/pages/troubleshooting/index.adoc

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
= Troubleshooting
2+
3+
== Errors and warnings in the OpenSearch logs
4+
5+
=== SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
6+
7+
The Stackable image of OpenSearch 3.1 uses OpenJDK 21 which is the latest supported JDK version in OpenSearch 3.1.
8+
When using TLSv1.3, which is the default, the following warning can appear in the OpenSearch logs:
9+
10+
----
11+
[WARN ][o.o.h.AbstractHttpServerTransport] [opensearch-nodes-default-0] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/...:9200, remoteAddress=/...}
12+
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
13+
----
14+
15+
This means that a TLS connection could not be established.
16+
Unfortunately, the message does not contain the reason.
17+
The issue with this message is fixed in JDK 24, see https://bugs.openjdk.org/browse/JDK-8331682[JDK-8331682{external-link-icon}^].
18+
OpenSearch 3.2, which supports JDK 24, will therefore show a proper message.
19+
20+
To find out the reason in OpenSearch 3.1, you could temporarily use TLSv1.2 which is not affected by this JDK bug:
21+
22+
[source,yaml]
23+
----
24+
nodes:
25+
configOverrides:
26+
opensearch.yml:
27+
plugins.security.ssl.http.enabled_protocols: TLSv1.2
28+
----
29+
30+
Instead of the warning above, an error message is shown, e.g.:
31+
32+
----
33+
[ERROR][o.o.h.n.s.SecureNetty4HttpServerTransport] [opensearch-nodes-default-0] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
34+
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
35+
----
36+
37+
In this case, the OpenSearch client cannot verify the certificate chain because it does not have the CA certificate which is used to sign the OpenSearch node certificate.
38+
See xref:home:secret-operator:usage.adoc[Usage of the Secret Operator], how to provide the CA certificate to the OpenSearch client and to solve this problem.

docs/modules/opensearch/partials/nav.adoc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@
1414
*** xref:opensearch:usage-guide/operations/pod-placement.adoc[]
1515
*** xref:opensearch:usage-guide/operations/pod-disruptions.adoc[]
1616
*** xref:opensearch:usage-guide/operations/graceful-shutdown.adoc[]
17+
* xref:opensearch:troubleshooting/index.adoc[]
1718
* xref:opensearch:reference/index.adoc[]
1819
** xref:opensearch:reference/crds.adoc[]
1920
*** {crd-docs}/opensearch.stackable.tech/opensearchcluster/v1alpha1/[OpenSearchCluster {external-link-icon}^]

0 commit comments

Comments
 (0)