Trino Gateway unable to connect to trino cluster with self signed certificate
Nexengineer opened this issue · comments
Hi,
I am running a Trino cluster in k8s. It has a self signed certificate, whenever I am adding a backend I am getting below error. Please point me to correct direction for a fix.
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
If I am trying to curl my Trino cluster from Trino gateway pod
curl https://mytrino.com/v1/info
fails
but
curl -k https://mytrino.com/v1/info
200 ok
Is there way to control curl -k
via config.
Thanks
Any help is appreciated
@Nexengineer One option I can think of is by adding the self-signed certificate CA to default Java keystore(JAVA_HOME/jre/lib/security/cacerts
) or system truststore in the pod.
@avinashdesireddy I was able to resolve it by creating a custom image details are attached below
FROM trinodb/trine-gateway:8
RUN mkdir -p /etc/pki/ca-trust/extracted/pem/ && \
mkdir -p /etc/pki/ca-trust/extracted/openssl/
USER root
RUN mkdir -p /tmp/certs
WORKDIR /tmp/app
COPY ca.pem /tmp/app/ca.pem
# For health using curl
RUN cat /tmp/app/ca.pem >> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
RUN cat /tmp/app/ca.pem >> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
# For calling actual enviroment
COPY ca.cer $JAVA_HOME/lib/security
RUN \
cd $JAVA_HOME/lib/security \
&& keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ldapcert -file ca.cer
Is there a better way?