The configuration you have is set up for Drillbits talking to Drill clients using TLS/SSL. Drillbits access S3 using the HDFS APIs and for that access path you need to configure S3/HDFS to also use TLS/SSL. This configuration is done outside of Drill in your HDFS setup.
A quick search led me to this link for CDH (setup in your Hadoop distribution may vary): https://www.cloudera.com/documentation/enterprise/5-10-x/topics/sg_aws_security.html HTH. On Thu, Aug 30, 2018 at 8:06 PM Vedant Naik <naik.ved...@gmail.com> wrote: > Hi all, > > I have an S3 instance I am trying to connect to, that uses self-signed > certificates. When querying, I get an "SSLPeerUnverifiedException" (log > provided below) > > After doing some reading I found: "Your client's truststore doesn't trust > your server's certificate. You need to get it exported from the server's > keystore and imported into your client's truststore." > So I got the certificate chain - root CA and intermediate certificates > bundled file (Certificate has been issued against wildcard entry *. > s3instance.ourhostname.com so it should be applied for > bucketname.s3instance.ourhostname.com - as the s3a client library expects > to communicate). > Then, followed the steps here: > > https://drill.apache.org/docs/configuring-ssl-tls-for-encryption/#configuring-ssl/tls > and updated the drill-override.conf which now looks like: > > drill.exec: { > cluster-id: "drillbits1", > zk.connect: "zookeeper-service:2181", > ssl: { > trustStorePath: "/certif/our_s3instance_cacert_file.crt" > } > } > > > I still keep getting SSLPeerUnverifiedException. Am I missing something > here? Or am I referring to an incorrect section of the documentation? > Please advise. > > Thank you, > Kind regards, > Vedant > > *Error log (omitting seemingly unnecessary lines):* > [Error Id: 9b9a5de3-7252-443c-9305-9b0b0b3de271 on 3c6cf6857ad2:31010] > org.apache.drill.common.exceptions.UserException: SYSTEM ERROR: > SSLPeerUnverifiedException: peer not authenticated > > [Error Id: 9b9a5de3-7252-443c-9305-9b0b0b3de271 on 3c6cf6857ad2:31010] > at > > org.apache.drill.common.exceptions.UserException$Builder.build(UserException.java:633) > ~[drill-common-1.14.0.jar:1.14.0] > at > org.apache.drill.exec.work > .foreman.Foreman$ForemanResult.close(Foreman.java:761) > [drill-java-exec-1.14.0.jar:1.14.0] > ... > Caused by: org.apache.drill.exec.work.foreman.ForemanException: > *Unexpected > exception during fragment initialization: Unable to execute HTTP request: > peer not authenticated* > at org.apache.drill.exec.work.foreman.Foreman.run(Foreman.java:294) > [drill-java-exec-1.14.0.jar:1.14.0] > ... 3 common frames omitted > Caused by: com.amazonaws.AmazonClientException: *Unable to execute HTTP > request: peer not authenticated* > at > > com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:454) > ~[aws-java-sdk-1.7.4.jar:na] > at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:232) > ~[aws-java-sdk-1.7.4.jar:na] > at > com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:3528) > ~[aws-java-sdk-1.7.4.jar:na] > at > > com.amazonaws.services.s3.AmazonS3Client.headBucket(AmazonS3Client.java:1031) > ~[aws-java-sdk-1.7.4.jar:na] > at > > com.amazonaws.services.s3.AmazonS3Client.doesBucketExist(AmazonS3Client.java:994) > ~[aws-java-sdk-1.7.4.jar:na] > at > org.apache.hadoop.fs.s3a.S3AFileSystem.initialize(S3AFileSystem.java:297) > ~[hadoop-aws-2.7.1.jar:na] > at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:2653) > ~[hadoop-common-2.7.1.jar:na] > ... > at org.apache.drill.exec.work.foreman.Foreman.runSQL(Foreman.java:567) > [drill-java-exec-1.14.0.jar:1.14.0] > at org.apache.drill.exec.work.foreman.Foreman.run(Foreman.java:266) > [drill-java-exec-1.14.0.jar:1.14.0] > ... 3 common frames omitted > Caused by: *javax.net.ssl.SSLPeerUnverifiedException: peer not > authenticated* > at > > sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:440) > ~[na:1.8.0_181] > at > org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126) > ~[httpclient-4.2.5.jar:4.2.5] > at > > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:437) > ~[httpclient-4.2.5.jar:4.2.5] > at > > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) > ~[httpclient-4.2.5.jar:4.2.5] > at > > org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294) > ~[httpclient-4.2.5.jar:4.2.5] > at > > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:643) > ~[httpclient-4.2.5.jar:4.2.5] > at > > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) > ~[httpclient-4.2.5.jar:4.2.5] > at > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) > ~[httpclient-4.2.5.jar:4.2.5] > at > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) > ~[httpclient-4.2.5.jar:4.2.5] > at > > com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:384) > ~[aws-java-sdk-1.7.4.jar:na] > ... 36 common frames omitted >