Open jdsjdk opened 1 year ago
Have you tried filing an issue with the main project yet?
I see something else here, and realized I commented on the GIST.
But you should be using these ciphers below:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
CBC should never be used, it is a super insecure algo. GCM is the most commonly supported algo by everything including JVM.
So I just tried that, and it didn't work. I'm going to create an issue with the Trino team, and see if they can help. The error is the same and no change.
I also updated the Github Gist, with some useful info that might help you. Lemme know what you think.
Hey @PenguinzPlays I have also opened a ticket with The Trino Team as you have suggested. lol Let's get this fixed!!
So if you go to that conversation @PenguinzPlays, I guess you cannot have encrypted PEM keys. I will switch the playbook to a JKS format instead. Please give me a few days for this, thanks again.
Drop the encryption requirements for now
:thumbsup:
I'm getting another error now, and it's in the build phase of this - some sort of ansible error. I will address tomorrow.
Ok, @PenguinzPlays I think I'm just going to switch to a JKS file. I was able to get through all of the issue with Ansible, but it's still not liking the PEM file. I think this is just going to be easier with using a Java Keystore.
🤷♂️
Yup, confirmed. This is just going to be easier if I switch to a Java Keystore. lol I'm starting to get annoyed with Java now. smh. :unamused:
So I switched everything over to a java keystore, but I'm still getting similar errors. I will debug tomorrow. Thanks again.
Did you ever flip to GCM instead of CBC? That is a bigger deal then you might know....
I'm getting another error now, and it's in the build phase of this - some sort of ansible error. I will address tomorrow.
Pics or it didnt happen :P
Hello @PenguinzPlays,
As you can see from this Github Gist, that Trino Coordinate cannot read the PEM file.... I've tried every way to get it to work that I can think of, and it just doesn't want to do read it correctly. The Trino documentation doesn't have an answer for this, and I really don't know where to go from here.
With this line of code:
http-server.https.included-cipher=TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
I've tried to correctly guess the encryption family from the Trino documentation from:
But after burying my head in the weeds for a while.... I've just hit an impasse. I'm honestly out of my depth here. I cannot figure out if it just doesn't like my encryption method - an RSA 2048 with a SHA-384 using a DH-Param key, or it just cannot understand the format of the
fullchain.pem
file. Either way, it's not loading correctly, and Trino doesn't understand it.