This is an automated email from the ASF dual-hosted git repository.
kirs pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris-website.git
The following commit(s) were added to refs/heads/master by this push:
new c03dfec5289 [Doc] Document BE CA certificate configuration for S3 and
Azure Blob (#3449)
c03dfec5289 is described below
commit c03dfec5289e69a2c84f884bbd10223c2049e2fe
Author: Calvin Kirs <[email protected]>
AuthorDate: Thu Mar 12 14:27:07 2026 +0800
[Doc] Document BE CA certificate configuration for S3 and Azure Blob (#3449)
## Versions
- [ ] dev
- [ ] 4.x
- [ ] 3.x
- [ ] 2.1
## Languages
- [ ] Chinese
- [ ] English
## Docs Checklist
- [ ] Checked by AI
- [ ] Test Cases Built
---
docs/lakehouse/storages/azure-blob.md | 26 +++++++++++++++++++++
docs/lakehouse/storages/s3.md | 26 +++++++++++++++++++++
.../current/lakehouse/storages/azure-blob.md | 27 ++++++++++++++++++++++
.../current/lakehouse/storages/s3.md | 27 +++++++++++++++++++++-
.../version-2.1/lakehouse/storages/azure-blob.md | 27 ++++++++++++++++++++++
.../version-2.1/lakehouse/storages/s3.md | 27 +++++++++++++++++++++-
.../version-3.x/lakehouse/storages/azure-blob.md | 27 ++++++++++++++++++++++
.../version-3.x/lakehouse/storages/s3.md | 27 +++++++++++++++++++++-
.../version-4.x/lakehouse/storages/azure-blob.md | 27 ++++++++++++++++++++++
.../version-4.x/lakehouse/storages/s3.md | 27 +++++++++++++++++++++-
.../version-2.1/lakehouse/storages/azure-blob.md | 26 +++++++++++++++++++++
.../version-2.1/lakehouse/storages/s3.md | 26 +++++++++++++++++++++
.../version-3.x/lakehouse/storages/azure-blob.md | 26 +++++++++++++++++++++
.../version-3.x/lakehouse/storages/s3.md | 26 +++++++++++++++++++++
.../version-4.x/lakehouse/storages/azure-blob.md | 26 +++++++++++++++++++++
.../version-4.x/lakehouse/storages/s3.md | 26 +++++++++++++++++++++
16 files changed, 420 insertions(+), 4 deletions(-)
diff --git a/docs/lakehouse/storages/azure-blob.md
b/docs/lakehouse/storages/azure-blob.md
index ae4fb11f646..7c99095fc0d 100644
--- a/docs/lakehouse/storages/azure-blob.md
+++ b/docs/lakehouse/storages/azure-blob.md
@@ -19,6 +19,32 @@ This document describes the parameters required to access
Microsoft Azure Blob s
**Azure Blob Storage currently does not support ARM architectures.**
+## Configure BE CA Certificate for HTTPS
+
+Starting from Doris 3.1.5 and 4.0.5, you can explicitly configure
`ca_cert_file_paths` in `be.conf` when Doris BE accesses Azure Blob Storage
over HTTPS.
+
+By default, if `ca_cert_file_paths` is not configured, Doris uses the
operating system's default CA certificates. In most environments, you do not
need to set this parameter manually. Configure it in the following cases:
+
+- The BE node is missing system CA certificates, or the installed CA bundle is
too old.
+- The BE node runs in a minimal container or image that does not include the
`ca-certificates` package.
+- The default CA file path on the BE node is invalid, or the Doris process
does not have read permission on the CA file.
+- Your environment uses a self-signed certificate, a private CA, or a
corporate proxy or gateway that re-signs TLS traffic.
+- You encounter errors such as `Problem with the SSL CA cert` or `curl 77:
Problem with the SSL CA cert (path? access rights?)` when accessing Azure Blob
Storage.
+
+Example:
+
+```properties
+# be.conf
+ca_cert_file_paths = /etc/ssl/certs/ca-certificates.crt
+```
+
+Common CA bundle paths:
+
+- Debian / Ubuntu: `/etc/ssl/certs/ca-certificates.crt`
+- CentOS / RockyLinux:
`/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt`
+
+Configure this item on every BE node that may access Azure Blob Storage, and
ensure that the certificate file exists and is readable by the Doris process.
After updating `be.conf`, restart the affected BE nodes to apply the change.
+
## Parameter Overview
| Property Name | Former Name | Description
| Default Value | Required |
diff --git a/docs/lakehouse/storages/s3.md b/docs/lakehouse/storages/s3.md
index 8705e7709b5..b6ebe56c517 100644
--- a/docs/lakehouse/storages/s3.md
+++ b/docs/lakehouse/storages/s3.md
@@ -17,6 +17,32 @@ This document describes the parameters required for
accessing AWS S3. These para
- Export properties.
- Outfile properties.
+## Configure BE CA Certificate for HTTPS
+
+Starting from Doris 2.1, you can explicitly configure `ca_cert_file_paths` in
`be.conf` when Doris BE accesses S3 over HTTPS.
+
+By default, if `ca_cert_file_paths` is not configured, Doris uses the
operating system's default CA certificates. In most environments, you do not
need to set this parameter manually. Configure it in the following cases:
+
+- The BE node is missing system CA certificates, or the installed CA bundle is
too old.
+- The BE node runs in a minimal container or image that does not include the
`ca-certificates` package.
+- The default CA file path on the BE node is invalid, or the Doris process
does not have read permission on the CA file.
+- Your environment uses a self-signed certificate, a private CA, or a
corporate proxy or gateway that re-signs TLS traffic.
+- You encounter errors such as `Problem with the SSL CA cert` or `curl 77:
Problem with the SSL CA cert (path? access rights?)` when accessing S3.
+
+Example:
+
+```properties
+# be.conf
+ca_cert_file_paths = /etc/ssl/certs/ca-certificates.crt
+```
+
+Common CA bundle paths:
+
+- Debian / Ubuntu: `/etc/ssl/certs/ca-certificates.crt`
+- CentOS / RockyLinux:
`/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt`
+
+Configure this item on every BE node that may access S3, and ensure that the
certificate file exists and is readable by the Doris process. After updating
`be.conf`, restart the affected BE nodes to apply the change.
+
## Parameter Overview
| Property Name | Legacy Name | Description
| Default |
Required |
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/storages/azure-blob.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/storages/azure-blob.md
index 8ebdf91b84a..fcd600a16b2 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/storages/azure-blob.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/storages/azure-blob.md
@@ -18,6 +18,33 @@
- Backup / Restore 属性
**Azure Blob 存储目前不支持 ARM 架构。**
+
+## 配置 BE 端 HTTPS CA 证书
+
+自 Doris 3.1.5 和 4.0.5 起,当 Doris BE 通过 HTTPS 访问 Azure Blob Storage 时,可以在
`be.conf` 中显式配置 `ca_cert_file_paths`。
+
+默认情况下,如果未配置 `ca_cert_file_paths`,Doris 会使用操作系统默认的 CA
证书。在大多数环境中,不需要手动设置该参数。建议在以下场景中显式配置:
+
+- BE 节点未安装系统 CA 证书,或系统 CA 证书包版本过旧。
+- BE 节点运行在精简容器或镜像中,未包含 `ca-certificates` 包。
+- BE 节点上的默认 CA 文件路径无效,或 Doris 进程没有该 CA 文件的读取权限。
+- 环境中使用了自签名证书、私有 CA,或者会重签 TLS 流量的企业代理或网关。
+- 访问 Azure Blob Storage 时出现 `Problem with the SSL CA cert` 或 `curl 77: Problem
with the SSL CA cert (path? access rights?)` 等错误。
+
+示例:
+
+```properties
+# be.conf
+ca_cert_file_paths = /etc/ssl/certs/ca-certificates.crt
+```
+
+常见的系统 CA 文件路径包括:
+
+- Debian / Ubuntu:`/etc/ssl/certs/ca-certificates.crt`
+- CentOS / RockyLinux:`/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt`
+
+需要在所有可能访问 Azure Blob Storage 的 BE 节点上配置该参数,并确保 Doris 进程对证书文件有读取权限。修改 `be.conf`
后,需要重启对应的 BE 节点使配置生效。
+
## 参数总览
| 属性名称 | 曾用名 | 描述
| 默认值 | 是否必须 |
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/storages/s3.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/storages/s3.md
index f7968258697..5ca4c6c3413 100644
--- a/i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/storages/s3.md
+++ b/i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/storages/s3.md
@@ -17,6 +17,32 @@
- Export 属性。
- Outfile 属性。
+## 配置 BE 端 HTTPS CA 证书
+
+自 Doris 2.1 起,当 Doris BE 通过 HTTPS 访问 S3 时,可以在 `be.conf` 中显式配置
`ca_cert_file_paths`。
+
+默认情况下,如果未配置 `ca_cert_file_paths`,Doris 会使用操作系统默认的 CA
证书。在大多数环境中,不需要手动设置该参数。建议在以下场景中显式配置:
+
+- BE 节点未安装系统 CA 证书,或系统 CA 证书包版本过旧。
+- BE 节点运行在精简容器或镜像中,未包含 `ca-certificates` 包。
+- BE 节点上的默认 CA 文件路径无效,或 Doris 进程没有该 CA 文件的读取权限。
+- 环境中使用了自签名证书、私有 CA,或者会重签 TLS 流量的企业代理或网关。
+- 访问 S3 时出现 `Problem with the SSL CA cert` 或 `curl 77: Problem with the SSL CA
cert (path? access rights?)` 等错误。
+
+示例:
+
+```properties
+# be.conf
+ca_cert_file_paths = /etc/ssl/certs/ca-certificates.crt
+```
+
+常见的系统 CA 文件路径包括:
+
+- Debian / Ubuntu:`/etc/ssl/certs/ca-certificates.crt`
+- CentOS / RockyLinux:`/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt`
+
+需要在所有可能访问 S3 的 BE 节点上配置该参数,并确保 Doris 进程对证书文件有读取权限。修改 `be.conf` 后,需要重启对应的 BE
节点使配置生效。
+
## 参数总览
| 属性名称 | 曾用名 | 描述
| 默认值 | 是否必须 |
@@ -236,4 +262,3 @@ Amazon S3 Express One Zone(又名 Directory Bucket)提供更高性能,但
- 如果只做查询,不要授予写权限。
-
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/lakehouse/storages/azure-blob.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/lakehouse/storages/azure-blob.md
index 8ebdf91b84a..fcd600a16b2 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/lakehouse/storages/azure-blob.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/lakehouse/storages/azure-blob.md
@@ -18,6 +18,33 @@
- Backup / Restore 属性
**Azure Blob 存储目前不支持 ARM 架构。**
+
+## 配置 BE 端 HTTPS CA 证书
+
+自 Doris 3.1.5 和 4.0.5 起,当 Doris BE 通过 HTTPS 访问 Azure Blob Storage 时,可以在
`be.conf` 中显式配置 `ca_cert_file_paths`。
+
+默认情况下,如果未配置 `ca_cert_file_paths`,Doris 会使用操作系统默认的 CA
证书。在大多数环境中,不需要手动设置该参数。建议在以下场景中显式配置:
+
+- BE 节点未安装系统 CA 证书,或系统 CA 证书包版本过旧。
+- BE 节点运行在精简容器或镜像中,未包含 `ca-certificates` 包。
+- BE 节点上的默认 CA 文件路径无效,或 Doris 进程没有该 CA 文件的读取权限。
+- 环境中使用了自签名证书、私有 CA,或者会重签 TLS 流量的企业代理或网关。
+- 访问 Azure Blob Storage 时出现 `Problem with the SSL CA cert` 或 `curl 77: Problem
with the SSL CA cert (path? access rights?)` 等错误。
+
+示例:
+
+```properties
+# be.conf
+ca_cert_file_paths = /etc/ssl/certs/ca-certificates.crt
+```
+
+常见的系统 CA 文件路径包括:
+
+- Debian / Ubuntu:`/etc/ssl/certs/ca-certificates.crt`
+- CentOS / RockyLinux:`/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt`
+
+需要在所有可能访问 Azure Blob Storage 的 BE 节点上配置该参数,并确保 Doris 进程对证书文件有读取权限。修改 `be.conf`
后,需要重启对应的 BE 节点使配置生效。
+
## 参数总览
| 属性名称 | 曾用名 | 描述
| 默认值 | 是否必须 |
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/lakehouse/storages/s3.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/lakehouse/storages/s3.md
index ae560721fb1..9d410751ece 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/lakehouse/storages/s3.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/lakehouse/storages/s3.md
@@ -17,6 +17,32 @@
- Export 属性。
- Outfile 属性。
+## 配置 BE 端 HTTPS CA 证书
+
+自 Doris 2.1 起,当 Doris BE 通过 HTTPS 访问 S3 时,可以在 `be.conf` 中显式配置
`ca_cert_file_paths`。
+
+默认情况下,如果未配置 `ca_cert_file_paths`,Doris 会使用操作系统默认的 CA
证书。在大多数环境中,不需要手动设置该参数。建议在以下场景中显式配置:
+
+- BE 节点未安装系统 CA 证书,或系统 CA 证书包版本过旧。
+- BE 节点运行在精简容器或镜像中,未包含 `ca-certificates` 包。
+- BE 节点上的默认 CA 文件路径无效,或 Doris 进程没有该 CA 文件的读取权限。
+- 环境中使用了自签名证书、私有 CA,或者会重签 TLS 流量的企业代理或网关。
+- 访问 S3 时出现 `Problem with the SSL CA cert` 或 `curl 77: Problem with the SSL CA
cert (path? access rights?)` 等错误。
+
+示例:
+
+```properties
+# be.conf
+ca_cert_file_paths = /etc/ssl/certs/ca-certificates.crt
+```
+
+常见的系统 CA 文件路径包括:
+
+- Debian / Ubuntu:`/etc/ssl/certs/ca-certificates.crt`
+- CentOS / RockyLinux:`/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt`
+
+需要在所有可能访问 S3 的 BE 节点上配置该参数,并确保 Doris 进程对证书文件有读取权限。修改 `be.conf` 后,需要重启对应的 BE
节点使配置生效。
+
## 参数总览
| 属性名称 | 曾用名 | 描述
| 默认值 | 是否必须 |
@@ -234,4 +260,3 @@ Amazon S3 Express One Zone(又名 Directory Bucket)提供更高性能,但
- 如果只做查询,不要授予写权限。
-
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.x/lakehouse/storages/azure-blob.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.x/lakehouse/storages/azure-blob.md
index 8ebdf91b84a..fcd600a16b2 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.x/lakehouse/storages/azure-blob.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.x/lakehouse/storages/azure-blob.md
@@ -18,6 +18,33 @@
- Backup / Restore 属性
**Azure Blob 存储目前不支持 ARM 架构。**
+
+## 配置 BE 端 HTTPS CA 证书
+
+自 Doris 3.1.5 和 4.0.5 起,当 Doris BE 通过 HTTPS 访问 Azure Blob Storage 时,可以在
`be.conf` 中显式配置 `ca_cert_file_paths`。
+
+默认情况下,如果未配置 `ca_cert_file_paths`,Doris 会使用操作系统默认的 CA
证书。在大多数环境中,不需要手动设置该参数。建议在以下场景中显式配置:
+
+- BE 节点未安装系统 CA 证书,或系统 CA 证书包版本过旧。
+- BE 节点运行在精简容器或镜像中,未包含 `ca-certificates` 包。
+- BE 节点上的默认 CA 文件路径无效,或 Doris 进程没有该 CA 文件的读取权限。
+- 环境中使用了自签名证书、私有 CA,或者会重签 TLS 流量的企业代理或网关。
+- 访问 Azure Blob Storage 时出现 `Problem with the SSL CA cert` 或 `curl 77: Problem
with the SSL CA cert (path? access rights?)` 等错误。
+
+示例:
+
+```properties
+# be.conf
+ca_cert_file_paths = /etc/ssl/certs/ca-certificates.crt
+```
+
+常见的系统 CA 文件路径包括:
+
+- Debian / Ubuntu:`/etc/ssl/certs/ca-certificates.crt`
+- CentOS / RockyLinux:`/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt`
+
+需要在所有可能访问 Azure Blob Storage 的 BE 节点上配置该参数,并确保 Doris 进程对证书文件有读取权限。修改 `be.conf`
后,需要重启对应的 BE 节点使配置生效。
+
## 参数总览
| 属性名称 | 曾用名 | 描述
| 默认值 | 是否必须 |
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.x/lakehouse/storages/s3.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.x/lakehouse/storages/s3.md
index f7968258697..5ca4c6c3413 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.x/lakehouse/storages/s3.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.x/lakehouse/storages/s3.md
@@ -17,6 +17,32 @@
- Export 属性。
- Outfile 属性。
+## 配置 BE 端 HTTPS CA 证书
+
+自 Doris 2.1 起,当 Doris BE 通过 HTTPS 访问 S3 时,可以在 `be.conf` 中显式配置
`ca_cert_file_paths`。
+
+默认情况下,如果未配置 `ca_cert_file_paths`,Doris 会使用操作系统默认的 CA
证书。在大多数环境中,不需要手动设置该参数。建议在以下场景中显式配置:
+
+- BE 节点未安装系统 CA 证书,或系统 CA 证书包版本过旧。
+- BE 节点运行在精简容器或镜像中,未包含 `ca-certificates` 包。
+- BE 节点上的默认 CA 文件路径无效,或 Doris 进程没有该 CA 文件的读取权限。
+- 环境中使用了自签名证书、私有 CA,或者会重签 TLS 流量的企业代理或网关。
+- 访问 S3 时出现 `Problem with the SSL CA cert` 或 `curl 77: Problem with the SSL CA
cert (path? access rights?)` 等错误。
+
+示例:
+
+```properties
+# be.conf
+ca_cert_file_paths = /etc/ssl/certs/ca-certificates.crt
+```
+
+常见的系统 CA 文件路径包括:
+
+- Debian / Ubuntu:`/etc/ssl/certs/ca-certificates.crt`
+- CentOS / RockyLinux:`/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt`
+
+需要在所有可能访问 S3 的 BE 节点上配置该参数,并确保 Doris 进程对证书文件有读取权限。修改 `be.conf` 后,需要重启对应的 BE
节点使配置生效。
+
## 参数总览
| 属性名称 | 曾用名 | 描述
| 默认值 | 是否必须 |
@@ -236,4 +262,3 @@ Amazon S3 Express One Zone(又名 Directory Bucket)提供更高性能,但
- 如果只做查询,不要授予写权限。
-
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/storages/azure-blob.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/storages/azure-blob.md
index 8ebdf91b84a..fcd600a16b2 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/storages/azure-blob.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/storages/azure-blob.md
@@ -18,6 +18,33 @@
- Backup / Restore 属性
**Azure Blob 存储目前不支持 ARM 架构。**
+
+## 配置 BE 端 HTTPS CA 证书
+
+自 Doris 3.1.5 和 4.0.5 起,当 Doris BE 通过 HTTPS 访问 Azure Blob Storage 时,可以在
`be.conf` 中显式配置 `ca_cert_file_paths`。
+
+默认情况下,如果未配置 `ca_cert_file_paths`,Doris 会使用操作系统默认的 CA
证书。在大多数环境中,不需要手动设置该参数。建议在以下场景中显式配置:
+
+- BE 节点未安装系统 CA 证书,或系统 CA 证书包版本过旧。
+- BE 节点运行在精简容器或镜像中,未包含 `ca-certificates` 包。
+- BE 节点上的默认 CA 文件路径无效,或 Doris 进程没有该 CA 文件的读取权限。
+- 环境中使用了自签名证书、私有 CA,或者会重签 TLS 流量的企业代理或网关。
+- 访问 Azure Blob Storage 时出现 `Problem with the SSL CA cert` 或 `curl 77: Problem
with the SSL CA cert (path? access rights?)` 等错误。
+
+示例:
+
+```properties
+# be.conf
+ca_cert_file_paths = /etc/ssl/certs/ca-certificates.crt
+```
+
+常见的系统 CA 文件路径包括:
+
+- Debian / Ubuntu:`/etc/ssl/certs/ca-certificates.crt`
+- CentOS / RockyLinux:`/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt`
+
+需要在所有可能访问 Azure Blob Storage 的 BE 节点上配置该参数,并确保 Doris 进程对证书文件有读取权限。修改 `be.conf`
后,需要重启对应的 BE 节点使配置生效。
+
## 参数总览
| 属性名称 | 曾用名 | 描述
| 默认值 | 是否必须 |
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/storages/s3.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/storages/s3.md
index f7968258697..5ca4c6c3413 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/storages/s3.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/storages/s3.md
@@ -17,6 +17,32 @@
- Export 属性。
- Outfile 属性。
+## 配置 BE 端 HTTPS CA 证书
+
+自 Doris 2.1 起,当 Doris BE 通过 HTTPS 访问 S3 时,可以在 `be.conf` 中显式配置
`ca_cert_file_paths`。
+
+默认情况下,如果未配置 `ca_cert_file_paths`,Doris 会使用操作系统默认的 CA
证书。在大多数环境中,不需要手动设置该参数。建议在以下场景中显式配置:
+
+- BE 节点未安装系统 CA 证书,或系统 CA 证书包版本过旧。
+- BE 节点运行在精简容器或镜像中,未包含 `ca-certificates` 包。
+- BE 节点上的默认 CA 文件路径无效,或 Doris 进程没有该 CA 文件的读取权限。
+- 环境中使用了自签名证书、私有 CA,或者会重签 TLS 流量的企业代理或网关。
+- 访问 S3 时出现 `Problem with the SSL CA cert` 或 `curl 77: Problem with the SSL CA
cert (path? access rights?)` 等错误。
+
+示例:
+
+```properties
+# be.conf
+ca_cert_file_paths = /etc/ssl/certs/ca-certificates.crt
+```
+
+常见的系统 CA 文件路径包括:
+
+- Debian / Ubuntu:`/etc/ssl/certs/ca-certificates.crt`
+- CentOS / RockyLinux:`/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt`
+
+需要在所有可能访问 S3 的 BE 节点上配置该参数,并确保 Doris 进程对证书文件有读取权限。修改 `be.conf` 后,需要重启对应的 BE
节点使配置生效。
+
## 参数总览
| 属性名称 | 曾用名 | 描述
| 默认值 | 是否必须 |
@@ -236,4 +262,3 @@ Amazon S3 Express One Zone(又名 Directory Bucket)提供更高性能,但
- 如果只做查询,不要授予写权限。
-
diff --git a/versioned_docs/version-2.1/lakehouse/storages/azure-blob.md
b/versioned_docs/version-2.1/lakehouse/storages/azure-blob.md
index ae4fb11f646..7c99095fc0d 100644
--- a/versioned_docs/version-2.1/lakehouse/storages/azure-blob.md
+++ b/versioned_docs/version-2.1/lakehouse/storages/azure-blob.md
@@ -19,6 +19,32 @@ This document describes the parameters required to access
Microsoft Azure Blob s
**Azure Blob Storage currently does not support ARM architectures.**
+## Configure BE CA Certificate for HTTPS
+
+Starting from Doris 3.1.5 and 4.0.5, you can explicitly configure
`ca_cert_file_paths` in `be.conf` when Doris BE accesses Azure Blob Storage
over HTTPS.
+
+By default, if `ca_cert_file_paths` is not configured, Doris uses the
operating system's default CA certificates. In most environments, you do not
need to set this parameter manually. Configure it in the following cases:
+
+- The BE node is missing system CA certificates, or the installed CA bundle is
too old.
+- The BE node runs in a minimal container or image that does not include the
`ca-certificates` package.
+- The default CA file path on the BE node is invalid, or the Doris process
does not have read permission on the CA file.
+- Your environment uses a self-signed certificate, a private CA, or a
corporate proxy or gateway that re-signs TLS traffic.
+- You encounter errors such as `Problem with the SSL CA cert` or `curl 77:
Problem with the SSL CA cert (path? access rights?)` when accessing Azure Blob
Storage.
+
+Example:
+
+```properties
+# be.conf
+ca_cert_file_paths = /etc/ssl/certs/ca-certificates.crt
+```
+
+Common CA bundle paths:
+
+- Debian / Ubuntu: `/etc/ssl/certs/ca-certificates.crt`
+- CentOS / RockyLinux:
`/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt`
+
+Configure this item on every BE node that may access Azure Blob Storage, and
ensure that the certificate file exists and is readable by the Doris process.
After updating `be.conf`, restart the affected BE nodes to apply the change.
+
## Parameter Overview
| Property Name | Former Name | Description
| Default Value | Required |
diff --git a/versioned_docs/version-2.1/lakehouse/storages/s3.md
b/versioned_docs/version-2.1/lakehouse/storages/s3.md
index f4557a36d00..37806d020a5 100644
--- a/versioned_docs/version-2.1/lakehouse/storages/s3.md
+++ b/versioned_docs/version-2.1/lakehouse/storages/s3.md
@@ -17,6 +17,32 @@ This document describes the parameters required for
accessing AWS S3. These para
- Export properties.
- Outfile properties.
+## Configure BE CA Certificate for HTTPS
+
+Starting from Doris 2.1, you can explicitly configure `ca_cert_file_paths` in
`be.conf` when Doris BE accesses S3 over HTTPS.
+
+By default, if `ca_cert_file_paths` is not configured, Doris uses the
operating system's default CA certificates. In most environments, you do not
need to set this parameter manually. Configure it in the following cases:
+
+- The BE node is missing system CA certificates, or the installed CA bundle is
too old.
+- The BE node runs in a minimal container or image that does not include the
`ca-certificates` package.
+- The default CA file path on the BE node is invalid, or the Doris process
does not have read permission on the CA file.
+- Your environment uses a self-signed certificate, a private CA, or a
corporate proxy or gateway that re-signs TLS traffic.
+- You encounter errors such as `Problem with the SSL CA cert` or `curl 77:
Problem with the SSL CA cert (path? access rights?)` when accessing S3.
+
+Example:
+
+```properties
+# be.conf
+ca_cert_file_paths = /etc/ssl/certs/ca-certificates.crt
+```
+
+Common CA bundle paths:
+
+- Debian / Ubuntu: `/etc/ssl/certs/ca-certificates.crt`
+- CentOS / RockyLinux:
`/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt`
+
+Configure this item on every BE node that may access S3, and ensure that the
certificate file exists and is readable by the Doris process. After updating
`be.conf`, restart the affected BE nodes to apply the change.
+
## Parameter Overview
| Property Name | Legacy Name | Description
| Default |
Required |
diff --git a/versioned_docs/version-3.x/lakehouse/storages/azure-blob.md
b/versioned_docs/version-3.x/lakehouse/storages/azure-blob.md
index ae4fb11f646..7c99095fc0d 100644
--- a/versioned_docs/version-3.x/lakehouse/storages/azure-blob.md
+++ b/versioned_docs/version-3.x/lakehouse/storages/azure-blob.md
@@ -19,6 +19,32 @@ This document describes the parameters required to access
Microsoft Azure Blob s
**Azure Blob Storage currently does not support ARM architectures.**
+## Configure BE CA Certificate for HTTPS
+
+Starting from Doris 3.1.5 and 4.0.5, you can explicitly configure
`ca_cert_file_paths` in `be.conf` when Doris BE accesses Azure Blob Storage
over HTTPS.
+
+By default, if `ca_cert_file_paths` is not configured, Doris uses the
operating system's default CA certificates. In most environments, you do not
need to set this parameter manually. Configure it in the following cases:
+
+- The BE node is missing system CA certificates, or the installed CA bundle is
too old.
+- The BE node runs in a minimal container or image that does not include the
`ca-certificates` package.
+- The default CA file path on the BE node is invalid, or the Doris process
does not have read permission on the CA file.
+- Your environment uses a self-signed certificate, a private CA, or a
corporate proxy or gateway that re-signs TLS traffic.
+- You encounter errors such as `Problem with the SSL CA cert` or `curl 77:
Problem with the SSL CA cert (path? access rights?)` when accessing Azure Blob
Storage.
+
+Example:
+
+```properties
+# be.conf
+ca_cert_file_paths = /etc/ssl/certs/ca-certificates.crt
+```
+
+Common CA bundle paths:
+
+- Debian / Ubuntu: `/etc/ssl/certs/ca-certificates.crt`
+- CentOS / RockyLinux:
`/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt`
+
+Configure this item on every BE node that may access Azure Blob Storage, and
ensure that the certificate file exists and is readable by the Doris process.
After updating `be.conf`, restart the affected BE nodes to apply the change.
+
## Parameter Overview
| Property Name | Former Name | Description
| Default Value | Required |
diff --git a/versioned_docs/version-3.x/lakehouse/storages/s3.md
b/versioned_docs/version-3.x/lakehouse/storages/s3.md
index 8705e7709b5..b6ebe56c517 100644
--- a/versioned_docs/version-3.x/lakehouse/storages/s3.md
+++ b/versioned_docs/version-3.x/lakehouse/storages/s3.md
@@ -17,6 +17,32 @@ This document describes the parameters required for
accessing AWS S3. These para
- Export properties.
- Outfile properties.
+## Configure BE CA Certificate for HTTPS
+
+Starting from Doris 2.1, you can explicitly configure `ca_cert_file_paths` in
`be.conf` when Doris BE accesses S3 over HTTPS.
+
+By default, if `ca_cert_file_paths` is not configured, Doris uses the
operating system's default CA certificates. In most environments, you do not
need to set this parameter manually. Configure it in the following cases:
+
+- The BE node is missing system CA certificates, or the installed CA bundle is
too old.
+- The BE node runs in a minimal container or image that does not include the
`ca-certificates` package.
+- The default CA file path on the BE node is invalid, or the Doris process
does not have read permission on the CA file.
+- Your environment uses a self-signed certificate, a private CA, or a
corporate proxy or gateway that re-signs TLS traffic.
+- You encounter errors such as `Problem with the SSL CA cert` or `curl 77:
Problem with the SSL CA cert (path? access rights?)` when accessing S3.
+
+Example:
+
+```properties
+# be.conf
+ca_cert_file_paths = /etc/ssl/certs/ca-certificates.crt
+```
+
+Common CA bundle paths:
+
+- Debian / Ubuntu: `/etc/ssl/certs/ca-certificates.crt`
+- CentOS / RockyLinux:
`/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt`
+
+Configure this item on every BE node that may access S3, and ensure that the
certificate file exists and is readable by the Doris process. After updating
`be.conf`, restart the affected BE nodes to apply the change.
+
## Parameter Overview
| Property Name | Legacy Name | Description
| Default |
Required |
diff --git a/versioned_docs/version-4.x/lakehouse/storages/azure-blob.md
b/versioned_docs/version-4.x/lakehouse/storages/azure-blob.md
index ae4fb11f646..7c99095fc0d 100644
--- a/versioned_docs/version-4.x/lakehouse/storages/azure-blob.md
+++ b/versioned_docs/version-4.x/lakehouse/storages/azure-blob.md
@@ -19,6 +19,32 @@ This document describes the parameters required to access
Microsoft Azure Blob s
**Azure Blob Storage currently does not support ARM architectures.**
+## Configure BE CA Certificate for HTTPS
+
+Starting from Doris 3.1.5 and 4.0.5, you can explicitly configure
`ca_cert_file_paths` in `be.conf` when Doris BE accesses Azure Blob Storage
over HTTPS.
+
+By default, if `ca_cert_file_paths` is not configured, Doris uses the
operating system's default CA certificates. In most environments, you do not
need to set this parameter manually. Configure it in the following cases:
+
+- The BE node is missing system CA certificates, or the installed CA bundle is
too old.
+- The BE node runs in a minimal container or image that does not include the
`ca-certificates` package.
+- The default CA file path on the BE node is invalid, or the Doris process
does not have read permission on the CA file.
+- Your environment uses a self-signed certificate, a private CA, or a
corporate proxy or gateway that re-signs TLS traffic.
+- You encounter errors such as `Problem with the SSL CA cert` or `curl 77:
Problem with the SSL CA cert (path? access rights?)` when accessing Azure Blob
Storage.
+
+Example:
+
+```properties
+# be.conf
+ca_cert_file_paths = /etc/ssl/certs/ca-certificates.crt
+```
+
+Common CA bundle paths:
+
+- Debian / Ubuntu: `/etc/ssl/certs/ca-certificates.crt`
+- CentOS / RockyLinux:
`/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt`
+
+Configure this item on every BE node that may access Azure Blob Storage, and
ensure that the certificate file exists and is readable by the Doris process.
After updating `be.conf`, restart the affected BE nodes to apply the change.
+
## Parameter Overview
| Property Name | Former Name | Description
| Default Value | Required |
diff --git a/versioned_docs/version-4.x/lakehouse/storages/s3.md
b/versioned_docs/version-4.x/lakehouse/storages/s3.md
index 2abf4b51c03..039b86ca5e8 100644
--- a/versioned_docs/version-4.x/lakehouse/storages/s3.md
+++ b/versioned_docs/version-4.x/lakehouse/storages/s3.md
@@ -17,6 +17,32 @@ This document describes the parameters required for
accessing AWS S3. These para
- Export properties.
- Outfile properties.
+## Configure BE CA Certificate for HTTPS
+
+Starting from Doris 2.1, you can explicitly configure `ca_cert_file_paths` in
`be.conf` when Doris BE accesses S3 over HTTPS.
+
+By default, if `ca_cert_file_paths` is not configured, Doris uses the
operating system's default CA certificates. In most environments, you do not
need to set this parameter manually. Configure it in the following cases:
+
+- The BE node is missing system CA certificates, or the installed CA bundle is
too old.
+- The BE node runs in a minimal container or image that does not include the
`ca-certificates` package.
+- The default CA file path on the BE node is invalid, or the Doris process
does not have read permission on the CA file.
+- Your environment uses a self-signed certificate, a private CA, or a
corporate proxy or gateway that re-signs TLS traffic.
+- You encounter errors such as `Problem with the SSL CA cert` or `curl 77:
Problem with the SSL CA cert (path? access rights?)` when accessing S3.
+
+Example:
+
+```properties
+# be.conf
+ca_cert_file_paths = /etc/ssl/certs/ca-certificates.crt
+```
+
+Common CA bundle paths:
+
+- Debian / Ubuntu: `/etc/ssl/certs/ca-certificates.crt`
+- CentOS / RockyLinux:
`/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt`
+
+Configure this item on every BE node that may access S3, and ensure that the
certificate file exists and is readable by the Doris process. After updating
`be.conf`, restart the affected BE nodes to apply the change.
+
## Parameter Overview
| Property Name | Legacy Name | Description
| Default |
Required |
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
