Hey,

Im trying to secure our installation with HTTPS certificate and internal TLS so that i can use LDAP for authentication. However i run into the below error.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This occurs when i connect via 'https://internal-fqdn'. Our organization has a wildcard certificate issued by GoDaddy and that has been added to the cluster in the form of a secret. Then this certificate is terminated on the ingress with the backend protocol set to HTTPS.

If i visit the site via a web browser the site says there is a certificate and that it is valid. However if i connect via the Trino.jar application with the command ./trino.jar https://internal-fqdn and then run show catalogs; the error appears. Remove the TLS and connect via http and this error does not occur. any suggestions?

For context too i have the following configuration in our helm values file as well
additionalConfigProperties:
[
#To allow the certificate to be terminated at the ingress
http-server.process-forwarded=true,
#This is required for the nodes and coordiantor to encypt traffic between each other
internal-communication.shared-secret={redacted secret phrase},
internal-communication.https.required=true,
#Not needed according to https://trino.io/docs/current/security/tls.html#https-secure-directly:~:text=This%20is%20why%20you%20do%20not%20need%20to%20configure%20http%2Dserver.https.enabled%3Dtrue
#http-server.https.enabled=true,
#http-server.https.port=8443
]

@EvodiDunn Were you able to resolve it ?

@adityatanwar03 Unfortunately i have not yet. I've been held up with other projects and sidelined this, but will need to look again over the next week or so. After some talks in the slack community i believe it could be related to the keystore, however i haven't seen much documentation around how thats supposed to be setup for the chart so i haven't changed it from default. Could be my issue, so ill be starting there? But open to suggestions.

Well i tried setting this up with a keystore as well but seem to get stuck with the same error as you are getting , funny thing that i am still able to choose schemas but not able to see tables then this error message pops up. Let me know whenever you start working on it @EvodiDunn

This doesn't sound like an issue with the chart, more like the Trino CLI is using the system store to load CA certificates and the one used to sign your certificate is not present there. Feel free to reopen if you disagree.

Well i tried setting this up with a keystore as well but seem to get stuck with the same error as you are getting , funny thing that i am still able to choose schemas but not able to see tables then this error message pops up. Let me know whenever you start working on it @EvodiDunn

@adityatanwar03 i figured it out for me. It turned out to be nothing wrong with the server at all. My local client didn't trust the certificate presented by the server. I figured this out by connecting with the --insecure flag. Im still yet to figure out how to make the local client trust the cert but i would imagine there's a local keystore on my machine it needs to be added to.

As nineinchinick said its a CLI related question not helm.