You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@drill.apache.org by Vedant Naik <na...@gmail.com> on 2018/08/31 03:05:27 UTC
SSLPeerUnverifiedException - peer not authenticated - Accessing S3
with self-signed certificates
Hi all,
I have an S3 instance I am trying to connect to, that uses self-signed
certificates. When querying, I get an "SSLPeerUnverifiedException" (log
provided below)
After doing some reading I found: "Your client's truststore doesn't trust
your server's certificate. You need to get it exported from the server's
keystore and imported into your client's truststore."
So I got the certificate chain - root CA and intermediate certificates
bundled file (Certificate has been issued against wildcard entry *.
s3instance.ourhostname.com so it should be applied for
bucketname.s3instance.ourhostname.com - as the s3a client library expects
to communicate).
Then, followed the steps here:
https://drill.apache.org/docs/configuring-ssl-tls-for-encryption/#configuring-ssl/tls
and updated the drill-override.conf which now looks like:
drill.exec: {
cluster-id: "drillbits1",
zk.connect: "zookeeper-service:2181",
ssl: {
trustStorePath: "/certif/our_s3instance_cacert_file.crt"
}
}
I still keep getting SSLPeerUnverifiedException. Am I missing something
here? Or am I referring to an incorrect section of the documentation?
Please advise.
Thank you,
Kind regards,
Vedant
*Error log (omitting seemingly unnecessary lines):*
[Error Id: 9b9a5de3-7252-443c-9305-9b0b0b3de271 on 3c6cf6857ad2:31010]
org.apache.drill.common.exceptions.UserException: SYSTEM ERROR:
SSLPeerUnverifiedException: peer not authenticated
[Error Id: 9b9a5de3-7252-443c-9305-9b0b0b3de271 on 3c6cf6857ad2:31010]
at
org.apache.drill.common.exceptions.UserException$Builder.build(UserException.java:633)
~[drill-common-1.14.0.jar:1.14.0]
at
org.apache.drill.exec.work.foreman.Foreman$ForemanResult.close(Foreman.java:761)
[drill-java-exec-1.14.0.jar:1.14.0]
...
Caused by: org.apache.drill.exec.work.foreman.ForemanException: *Unexpected
exception during fragment initialization: Unable to execute HTTP request:
peer not authenticated*
at org.apache.drill.exec.work.foreman.Foreman.run(Foreman.java:294)
[drill-java-exec-1.14.0.jar:1.14.0]
... 3 common frames omitted
Caused by: com.amazonaws.AmazonClientException: *Unable to execute HTTP
request: peer not authenticated*
at
com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:454)
~[aws-java-sdk-1.7.4.jar:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:232)
~[aws-java-sdk-1.7.4.jar:na]
at
com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:3528)
~[aws-java-sdk-1.7.4.jar:na]
at
com.amazonaws.services.s3.AmazonS3Client.headBucket(AmazonS3Client.java:1031)
~[aws-java-sdk-1.7.4.jar:na]
at
com.amazonaws.services.s3.AmazonS3Client.doesBucketExist(AmazonS3Client.java:994)
~[aws-java-sdk-1.7.4.jar:na]
at
org.apache.hadoop.fs.s3a.S3AFileSystem.initialize(S3AFileSystem.java:297)
~[hadoop-aws-2.7.1.jar:na]
at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:2653)
~[hadoop-common-2.7.1.jar:na]
...
at org.apache.drill.exec.work.foreman.Foreman.runSQL(Foreman.java:567)
[drill-java-exec-1.14.0.jar:1.14.0]
at org.apache.drill.exec.work.foreman.Foreman.run(Foreman.java:266)
[drill-java-exec-1.14.0.jar:1.14.0]
... 3 common frames omitted
Caused by: *javax.net.ssl.SSLPeerUnverifiedException: peer not
authenticated*
at
sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:440)
~[na:1.8.0_181]
at
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126)
~[httpclient-4.2.5.jar:4.2.5]
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:437)
~[httpclient-4.2.5.jar:4.2.5]
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
~[httpclient-4.2.5.jar:4.2.5]
at
org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
~[httpclient-4.2.5.jar:4.2.5]
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:643)
~[httpclient-4.2.5.jar:4.2.5]
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
~[httpclient-4.2.5.jar:4.2.5]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
~[httpclient-4.2.5.jar:4.2.5]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
~[httpclient-4.2.5.jar:4.2.5]
at
com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:384)
~[aws-java-sdk-1.7.4.jar:na]
... 36 common frames omitted
Re: SSLPeerUnverifiedException - peer not authenticated - Accessing
S3 with self-signed certificates
Posted by Parth Chandra <pa...@apache.org>.
The configuration you have is set up for Drillbits talking to Drill clients
using TLS/SSL. Drillbits access S3 using the HDFS APIs and for that access
path you need to configure S3/HDFS to also use TLS/SSL. This configuration
is done outside of Drill in your HDFS setup.
A quick search led me to this link for CDH (setup in your Hadoop
distribution may vary):
https://www.cloudera.com/documentation/enterprise/5-10-x/topics/sg_aws_security.html
HTH.
On Thu, Aug 30, 2018 at 8:06 PM Vedant Naik <na...@gmail.com> wrote:
> Hi all,
>
> I have an S3 instance I am trying to connect to, that uses self-signed
> certificates. When querying, I get an "SSLPeerUnverifiedException" (log
> provided below)
>
> After doing some reading I found: "Your client's truststore doesn't trust
> your server's certificate. You need to get it exported from the server's
> keystore and imported into your client's truststore."
> So I got the certificate chain - root CA and intermediate certificates
> bundled file (Certificate has been issued against wildcard entry *.
> s3instance.ourhostname.com so it should be applied for
> bucketname.s3instance.ourhostname.com - as the s3a client library expects
> to communicate).
> Then, followed the steps here:
>
> https://drill.apache.org/docs/configuring-ssl-tls-for-encryption/#configuring-ssl/tls
> and updated the drill-override.conf which now looks like:
>
> drill.exec: {
> cluster-id: "drillbits1",
> zk.connect: "zookeeper-service:2181",
> ssl: {
> trustStorePath: "/certif/our_s3instance_cacert_file.crt"
> }
> }
>
>
> I still keep getting SSLPeerUnverifiedException. Am I missing something
> here? Or am I referring to an incorrect section of the documentation?
> Please advise.
>
> Thank you,
> Kind regards,
> Vedant
>
> *Error log (omitting seemingly unnecessary lines):*
> [Error Id: 9b9a5de3-7252-443c-9305-9b0b0b3de271 on 3c6cf6857ad2:31010]
> org.apache.drill.common.exceptions.UserException: SYSTEM ERROR:
> SSLPeerUnverifiedException: peer not authenticated
>
> [Error Id: 9b9a5de3-7252-443c-9305-9b0b0b3de271 on 3c6cf6857ad2:31010]
> at
>
> org.apache.drill.common.exceptions.UserException$Builder.build(UserException.java:633)
> ~[drill-common-1.14.0.jar:1.14.0]
> at
> org.apache.drill.exec.work
> .foreman.Foreman$ForemanResult.close(Foreman.java:761)
> [drill-java-exec-1.14.0.jar:1.14.0]
> ...
> Caused by: org.apache.drill.exec.work.foreman.ForemanException:
> *Unexpected
> exception during fragment initialization: Unable to execute HTTP request:
> peer not authenticated*
> at org.apache.drill.exec.work.foreman.Foreman.run(Foreman.java:294)
> [drill-java-exec-1.14.0.jar:1.14.0]
> ... 3 common frames omitted
> Caused by: com.amazonaws.AmazonClientException: *Unable to execute HTTP
> request: peer not authenticated*
> at
>
> com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:454)
> ~[aws-java-sdk-1.7.4.jar:na]
> at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:232)
> ~[aws-java-sdk-1.7.4.jar:na]
> at
> com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:3528)
> ~[aws-java-sdk-1.7.4.jar:na]
> at
>
> com.amazonaws.services.s3.AmazonS3Client.headBucket(AmazonS3Client.java:1031)
> ~[aws-java-sdk-1.7.4.jar:na]
> at
>
> com.amazonaws.services.s3.AmazonS3Client.doesBucketExist(AmazonS3Client.java:994)
> ~[aws-java-sdk-1.7.4.jar:na]
> at
> org.apache.hadoop.fs.s3a.S3AFileSystem.initialize(S3AFileSystem.java:297)
> ~[hadoop-aws-2.7.1.jar:na]
> at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:2653)
> ~[hadoop-common-2.7.1.jar:na]
> ...
> at org.apache.drill.exec.work.foreman.Foreman.runSQL(Foreman.java:567)
> [drill-java-exec-1.14.0.jar:1.14.0]
> at org.apache.drill.exec.work.foreman.Foreman.run(Foreman.java:266)
> [drill-java-exec-1.14.0.jar:1.14.0]
> ... 3 common frames omitted
> Caused by: *javax.net.ssl.SSLPeerUnverifiedException: peer not
> authenticated*
> at
>
> sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:440)
> ~[na:1.8.0_181]
> at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126)
> ~[httpclient-4.2.5.jar:4.2.5]
> at
>
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:437)
> ~[httpclient-4.2.5.jar:4.2.5]
> at
>
> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
> ~[httpclient-4.2.5.jar:4.2.5]
> at
>
> org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
> ~[httpclient-4.2.5.jar:4.2.5]
> at
>
> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:643)
> ~[httpclient-4.2.5.jar:4.2.5]
> at
>
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
> ~[httpclient-4.2.5.jar:4.2.5]
> at
>
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
> ~[httpclient-4.2.5.jar:4.2.5]
> at
>
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
> ~[httpclient-4.2.5.jar:4.2.5]
> at
>
> com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:384)
> ~[aws-java-sdk-1.7.4.jar:na]
> ... 36 common frames omitted
>