Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-6806

TLS certificate with Intermediate CA in server cert file fails with KRPC

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: Impala 2.12.0
    • Fix Version/s: Impala 2.12.0
    • Component/s: Security
    • Labels:

      Description

      Take 2 certificate files: cert.pem and truststore.pem

      cert.pem has 2 certificates in it:
      A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA)
      And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by CN=CertToolkitRootCA)

      truststore.pem has 1 certificate in it:
      A cert which is the root CA (with CN=CertToolkitRootCA, self-signed)

      This format of certificates don't seem to verify on the OpenSSL command line but works with Thrift. This also doesn't work with KRPC.

      Workaround for this issue w/ KRPC turned on:
      If we move the second certificate from cert.pem (CN=CertToolkitIntCA) into truststore.pem, then this seems to work.

      We'll need to dig into whether this is a PEM file format issue, or a KRPC issue. But the above workaround should unblock us for now.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sailesh Sailesh Mukil
                Reporter:
                sailesh Sailesh Mukil
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: