Slack notification invalid cert path

I am trying to configure an alert with the slack integration, and I keep seeing TLS java errors when it tries to connect. I have a test cluster, and I re-did all my certificates to be the same CA as the chat server. I can run openssl s_client with the ca file and it validates the chat servers certificate, but I still get the following error when trying to get OpenDistro to send the alert. Anyone able to give me some pointers here? Does this pull from the transport/rest CA’s or is there yet another configuration option to provide this CA to the alerting? I am somewhat stuck here…

What I get when trying to send the alert:

Error: Failed running action: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I am running the chat server internally so there is not a public certificate, however the CA used to create the certificate is the one I have added to OpenDistro for both transport and Rest settings. I would even accept turning this check off, as this is an internal server, but I don’t think that is an option somewhere either.

Alright, I think I have found my answer, although I would be interested to know if there is another way of doing this through the yml configurations. However I can manually do this for now.

It seems the JVM is the issue, none of the security based certs are used. I had to edit it on each node, with the default “changeit” password. So if anyone else needs to add a CA, the following was my command.

keytool -import -alias MyCA -file customCA.crt -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts

Eventually having something that would auto-add CA’s used by OpenDistro to this location, would be helpful. I can ansible around this for now.