drill-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Parth Chandra <par...@apache.org>
Subject Re: SSLPeerUnverifiedException - peer not authenticated - Accessing S3 with self-signed certificates
Date Thu, 06 Sep 2018 16:59:06 GMT
The configuration you have is set up for Drillbits talking to Drill clients
using TLS/SSL. Drillbits access S3 using the HDFS APIs and for that access
path you need to configure S3/HDFS to also use TLS/SSL. This configuration
is done outside of Drill in your HDFS setup.

A quick search led me to this link for CDH (setup in your Hadoop
distribution may vary):
https://www.cloudera.com/documentation/enterprise/5-10-x/topics/sg_aws_security.html

HTH.



On Thu, Aug 30, 2018 at 8:06 PM Vedant Naik <naik.vedant@gmail.com> wrote:

> Hi all,
>
> I have an S3 instance I am trying to connect to, that uses self-signed
> certificates. When querying, I get an "SSLPeerUnverifiedException" (log
> provided below)
>
> After doing some reading I found: "Your client's truststore doesn't trust
> your server's certificate. You need to get it exported from the server's
> keystore and imported into your client's truststore."
> So I got the certificate chain - root CA and intermediate certificates
> bundled file (Certificate has been issued against wildcard entry *.
> s3instance.ourhostname.com so it should be applied for
> bucketname.s3instance.ourhostname.com - as the s3a client library expects
> to communicate).
> Then, followed the steps here:
>
> https://drill.apache.org/docs/configuring-ssl-tls-for-encryption/#configuring-ssl/tls
> and updated the drill-override.conf which now looks like:
>
> drill.exec: {
>   cluster-id: "drillbits1",
>   zk.connect: "zookeeper-service:2181",
>   ssl: {
>     trustStorePath: "/certif/our_s3instance_cacert_file.crt"
>   }
> }
>
>
> I still keep getting SSLPeerUnverifiedException. Am I missing something
> here? Or am I referring to an incorrect section of the documentation?
> Please advise.
>
> Thank you,
> Kind regards,
> Vedant
>
> *Error log (omitting seemingly unnecessary lines):*
> [Error Id: 9b9a5de3-7252-443c-9305-9b0b0b3de271 on 3c6cf6857ad2:31010]
> org.apache.drill.common.exceptions.UserException: SYSTEM ERROR:
> SSLPeerUnverifiedException: peer not authenticated
>
> [Error Id: 9b9a5de3-7252-443c-9305-9b0b0b3de271 on 3c6cf6857ad2:31010]
> at
>
> org.apache.drill.common.exceptions.UserException$Builder.build(UserException.java:633)
> ~[drill-common-1.14.0.jar:1.14.0]
> at
> org.apache.drill.exec.work
> .foreman.Foreman$ForemanResult.close(Foreman.java:761)
> [drill-java-exec-1.14.0.jar:1.14.0]
>        ...
> Caused by: org.apache.drill.exec.work.foreman.ForemanException:
> *Unexpected
> exception during fragment initialization: Unable to execute HTTP request:
> peer not authenticated*
> at org.apache.drill.exec.work.foreman.Foreman.run(Foreman.java:294)
> [drill-java-exec-1.14.0.jar:1.14.0]
> ... 3 common frames omitted
> Caused by: com.amazonaws.AmazonClientException: *Unable to execute HTTP
> request: peer not authenticated*
> at
>
> com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:454)
> ~[aws-java-sdk-1.7.4.jar:na]
> at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:232)
> ~[aws-java-sdk-1.7.4.jar:na]
> at
> com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:3528)
> ~[aws-java-sdk-1.7.4.jar:na]
> at
>
> com.amazonaws.services.s3.AmazonS3Client.headBucket(AmazonS3Client.java:1031)
> ~[aws-java-sdk-1.7.4.jar:na]
> at
>
> com.amazonaws.services.s3.AmazonS3Client.doesBucketExist(AmazonS3Client.java:994)
> ~[aws-java-sdk-1.7.4.jar:na]
> at
> org.apache.hadoop.fs.s3a.S3AFileSystem.initialize(S3AFileSystem.java:297)
> ~[hadoop-aws-2.7.1.jar:na]
> at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:2653)
> ~[hadoop-common-2.7.1.jar:na]
>   ...
> at org.apache.drill.exec.work.foreman.Foreman.runSQL(Foreman.java:567)
> [drill-java-exec-1.14.0.jar:1.14.0]
> at org.apache.drill.exec.work.foreman.Foreman.run(Foreman.java:266)
> [drill-java-exec-1.14.0.jar:1.14.0]
> ... 3 common frames omitted
> Caused by: *javax.net.ssl.SSLPeerUnverifiedException: peer not
> authenticated*
> at
>
> sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:440)
> ~[na:1.8.0_181]
> at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126)
> ~[httpclient-4.2.5.jar:4.2.5]
> at
>
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:437)
> ~[httpclient-4.2.5.jar:4.2.5]
> at
>
> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
> ~[httpclient-4.2.5.jar:4.2.5]
> at
>
> org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
> ~[httpclient-4.2.5.jar:4.2.5]
> at
>
> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:643)
> ~[httpclient-4.2.5.jar:4.2.5]
> at
>
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
> ~[httpclient-4.2.5.jar:4.2.5]
> at
>
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
> ~[httpclient-4.2.5.jar:4.2.5]
> at
>
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
> ~[httpclient-4.2.5.jar:4.2.5]
> at
>
> com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:384)
> ~[aws-java-sdk-1.7.4.jar:na]
> ... 36 common frames omitted
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message