Include trusted issuer details in SSL diagnostics

libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslDiagnostics.java

@@ -254,11 +254,11 @@ private static CharSequence describeIssuerTrust(String contextName, @Nullable Ma
         final IssuerTrust trust = checkIssuerTrust(trustedIssuers, certificate);
         if (trust.isVerified()) {
             message.append("; the issuing ")
-                .append(trust.issuerCerts.size() == 1 ? "certificate": "certificates")
+                .append(trust.issuerCerts.size() == 1 ? "certificate" : "certificates")
                 .append(" with ")
                 .append(fingerprintDescription(trust.issuerCerts))
                 .append(" ")
-                .append(trust.issuerCerts.size() == 1 ? "is": "are")
+                .append(trust.issuerCerts.size() == 1 ? "is" : "are")
                 .append(" trusted in this ssl context ([")
                 .append(contextName)
                 .append("])");
@@ -277,6 +277,28 @@ private static CharSequence describeIssuerTrust(String contextName, @Nullable Ma
             message.append("; this ssl context ([")
                 .append(contextName)
                 .append("]) is not configured to trust that issuer");
+
+            if (trustedIssuers.isEmpty()) {
+                message.append(" or any other issuer");
+            } else {
+                if (trustedIssuers.size() == 1) {
+                    String trustedIssuer = trustedIssuers.keySet().iterator().next();
+                    message.append(", it only trusts the issuer [")
+                        .append(trustedIssuer)
+                        .append("] with ")
+                        .append(fingerprintDescription(trustedIssuers.get(trustedIssuer)));
+                } else {
+                    message.append(" but trusts [")
+                        .append(trustedIssuers.size())
+                        .append("] other issuers");
+                    if (trustedIssuers.size() < 10) {
+                        // 10 is an arbitrary number, but printing out hundreds of trusted issuers isn't helpful
+                        message.append(" ([")
+                            .append(trustedIssuers.keySet().stream().sorted().collect(Collectors.joining(", ")))
+                            .append("])");
+                    }
+                }
+            }
         }
         return message;
     }

libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/SslDiagnosticsTests.java

@@ -126,7 +126,8 @@ public void testDiagnosticMessageWhenServerProvidesEndCertificateOnlyButTheCertA
             " the certificate has subject alternative names [DNS:localhost,IP:127.0.0.1];" +
             " the certificate is issued by [CN=Test CA 1]" +
             " but the server did not provide a copy of the issuing certificate in the certificate chain;" +
-            " this ssl context ([xpack.http.ssl]) is not configured to trust that issuer"));
+            " this ssl context ([xpack.http.ssl]) is not configured to trust that issuer" +
+            " but trusts [2] other issuers ([CN=Test CA 2, CN=Test CA 3])"));
     }
 
     public void testDiagnosticMessageWhenServerProvidesEndCertificateOnlyWithMimicIssuer() throws Exception {
@@ -215,7 +216,7 @@ public void testDiagnosticMessageWhenServerProvidePartialChainFromUntrustedCA()
             " signed by (subject [CN=ca,OU=windows,DC=example,DC=com] fingerprint [" + MOCK_FINGERPRINT_3 + "])" +
             " signed by (subject [CN=issuing-ca,DC=example,DC=com] fingerprint [" + MOCK_FINGERPRINT_2 + "])" +
             " which is issued by [CN=root-ca,DC=example,DC=com] (but that issuer certificate was not provided in the chain);" +
-            " this ssl context ([xpack.security.authc.realms.ldap.ldap1.ssl]) is not configured to trust that issuer"));
+            " this ssl context ([xpack.security.authc.realms.ldap.ldap1.ssl]) is not configured to trust that issuer or any other issuer"));
     }
 
     public void testDiagnosticMessageWhenServerProvidesASelfSignedCertThatIsDirectlyTrusted() throws Exception {