Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-6806

TLS certificate with Intermediate CA in server cert file fails with KRPC

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • Impala 2.12.0
    • Impala 2.12.0
    • Security

    Description

      Take 2 certificate files: cert.pem and truststore.pem

      cert.pem has 2 certificates in it:
      A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA)
      And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by CN=CertToolkitRootCA)

      truststore.pem has 1 certificate in it:
      A cert which is the root CA (with CN=CertToolkitRootCA, self-signed)

      This format of certificates don't seem to verify on the OpenSSL command line but works with Thrift. This also doesn't work with KRPC.

      Workaround for this issue w/ KRPC turned on:
      If we move the second certificate from cert.pem (CN=CertToolkitIntCA) into truststore.pem, then this seems to work.

      We'll need to dig into whether this is a PEM file format issue, or a KRPC issue. But the above workaround should unblock us for now.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            sailesh Sailesh Mukil
            sailesh Sailesh Mukil
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment