Sailesh Mukil created IMPALA-6806:

             Summary: TLS certificate with Intermediate CA in server cert file 
fails with KRPC
                 Key: IMPALA-6806
             Project: IMPALA
          Issue Type: Bug
          Components: Security
    Affects Versions: Impala 2.12.0
            Reporter: Sailesh Mukil
            Assignee: Sailesh Mukil

Take 2 certificate files: cert.pem and truststore.pem

cert.pem has 2 certificates in it:
A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA)
And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by 

truststore.pem has 1 certificate in it:
A cert which is the root CA (with CN=CertToolkitRootCA, self-signed)

This format of certificates don't seem to verify on the OpenSSL command line 
but works with Thrift. This also doesn't work with KRPC.

Workaround for this issue w/ KRPC turned on:
If we move the second certificate from cert.pem (CN=CertToolkitIntCA) into 
truststore.pem, then this seems to work.

We'll need to dig into whether this is a PEM file format issue, or a KRPC 
issue. But the above workaround should unblock us for now.

This message was sent by Atlassian JIRA

Reply via email to