Trino doesn't understand the PEM file and cannot read the SSL certificate.

PenguinCloud / Trino-Coordinate

This repo is for the Trino coordinator. It will manage the Trino workers and make sure that the queries are being handled correctly.

MIT License

0 stars 0 forks source link

Trino doesn't understand the PEM file and cannot read the SSL certificate. #1

Open jdsjdk opened 1 year ago

jdsjdk commented 1 year ago

Hello @PenguinzPlays,

As you can see from this Github Gist, that Trino Coordinate cannot read the PEM file.... I've tried every way to get it to work that I can think of, and it just doesn't want to do read it correctly. The Trino documentation doesn't have an answer for this, and I really don't know where to go from here.

With this line of code:

http-server.https.included-cipher=TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA

I've tried to correctly guess the encryption family from the Trino documentation from:

But after burying my head in the weeds for a while.... I've just hit an impasse. I'm honestly out of my depth here. I cannot figure out if it just doesn't like my encryption method - an RSA 2048 with a SHA-384 using a DH-Param key, or it just cannot understand the format of the fullchain.pem file. Either way, it's not loading correctly, and Trino doesn't understand it.

PenguinzPlays commented 1 year ago

Have you tried filing an issue with the main project yet?

PenguinzPlays commented 1 year ago

I see something else here, and realized I commented on the GIST.

But you should be using these ciphers below:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

CBC should never be used, it is a super insecure algo. GCM is the most commonly supported algo by everything including JVM.

jdsjdk commented 1 year ago

So I just tried that, and it didn't work. I'm going to create an issue with the Trino team, and see if they can help. The error is the same and no change.

jdsjdk commented 1 year ago

I also updated the Github Gist, with some useful info that might help you. Lemme know what you think.

jdsjdk commented 1 year ago

Hey @PenguinzPlays I have also opened a ticket with The Trino Team as you have suggested. lol Let's get this fixed!!

jdsjdk commented 1 year ago

So if you go to that conversation @PenguinzPlays, I guess you cannot have encrypted PEM keys. I will switch the playbook to a JKS format instead. Please give me a few days for this, thanks again.

PenguinzPlays commented 1 year ago

Drop the encryption requirements for now

jdsjdk commented 1 year ago

:thumbsup:

jdsjdk commented 1 year ago

I'm getting another error now, and it's in the build phase of this - some sort of ansible error. I will address tomorrow.

jdsjdk commented 1 year ago

Ok, @PenguinzPlays I think I'm just going to switch to a JKS file. I was able to get through all of the issue with Ansible, but it's still not liking the PEM file. I think this is just going to be easier with using a Java Keystore.
🤷‍♂️

jdsjdk commented 1 year ago

Yup, confirmed. This is just going to be easier if I switch to a Java Keystore. lol I'm starting to get annoyed with Java now. smh. :unamused:

jdsjdk commented 1 year ago

So I switched everything over to a java keystore, but I'm still getting similar errors. I will debug tomorrow. Thanks again.

PenguinzPlays commented 1 year ago

Did you ever flip to GCM instead of CBC? That is a bigger deal then you might know....

PenguinzPlays commented 1 year ago

I'm getting another error now, and it's in the build phase of this - some sort of ansible error. I will address tomorrow.

Pics or it didnt happen :P