Trino Gateway unable to connect to trino cluster with self signed certificate

[Nexengineer]

Hi,

I am running a Trino cluster in k8s. It has a self signed certificate, whenever I am adding a backend I am getting below error. Please point me to correct direction for a fix.

curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

If I am trying to curl my Trino cluster from Trino gateway pod curl https://mytrino.com/v1/info fails but curl -k https://mytrino.com/v1/info 200 ok

Is there way to control curl -k via config.

Thanks Any help is appreciated

[avinashdesireddy]

@Nexengineer One option I can think of is by adding the self-signed certificate CA to default Java keystore(JAVA_HOME/jre/lib/security/cacerts) or system truststore in the pod.

[Nexengineer]

@avinashdesireddy I was able to resolve it by creating a custom image details are attached below

FROM trinodb/trine-gateway:8

RUN mkdir -p /etc/pki/ca-trust/extracted/pem/ && \
    mkdir -p /etc/pki/ca-trust/extracted/openssl/

USER root

RUN mkdir -p /tmp/certs
WORKDIR /tmp/app
COPY ca.pem /tmp/app/ca.pem

# For health using curl
RUN cat /tmp/app/ca.pem >> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
RUN cat /tmp/app/ca.pem >> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

# For calling actual enviroment
COPY ca.cer $JAVA_HOME/lib/security
RUN \
    cd $JAVA_HOME/lib/security \
    && keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ldapcert -file ca.cer

Is there a better way?