[IMPALA-6806] TLS certificate with Intermediate CA in server cert file fails with KRPC - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: Impala 2.12.0
Fix Version/s: Impala 2.12.0
Component/s: Security
Labels:
- security
- ssl

Target Version:

Impala 2.12.0
Epic Color:
ghx-label-4

Description

Take 2 certificate files: cert.pem and truststore.pem

cert.pem has 2 certificates in it:
A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA)
And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by CN=CertToolkitRootCA)

truststore.pem has 1 certificate in it:
A cert which is the root CA (with CN=CertToolkitRootCA, self-signed)

This format of certificates don't seem to verify on the OpenSSL command line but works with Thrift. This also doesn't work with KRPC.

Workaround for this issue w/ KRPC turned on:
If we move the second certificate from cert.pem (CN=CertToolkitIntCA) into truststore.pem, then this seems to work.

We'll need to dig into whether this is a PEM file format issue, or a KRPC issue. But the above workaround should unblock us for now.

Attachments

Issue Links

depends upon

KUDU-2401 External TLS certificate with Intermediate CA in server cert file fails

Resolved

Activity

People

Assignee:: Sailesh Mukil

Reporter:: Sailesh Mukil

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 04/Apr/18 21:59

Updated:: 06/Apr/18 16:39

Resolved:: 06/Apr/18 05:35