Alexey Serbin created KUDU-3324:
-----------------------------------
Summary: Check for TLS server certificate and private key
accessibility during startup
Key: KUDU-3324
URL: https://issues.apache.org/jira/browse/KUDU-3324
Project: Kudu
Issue Type: Improvement
Reporter: Alexey Serbin
If the file pointed at by {{\-\-webserver_private_key_file}} isn't accessible,
Kudu embedded webserver reports an error citing the server certificate file
even if the certificate file is accessible. That's misleading because the
actual issue is with the accessing the _private key file_, but the error
message states that the issue is with accessing the _certificate file_. That's
confusing and it renders the error message to be non-actionable.
{noformat}
E1001 10:15:14.810608 10238 webserver.cc:447 Webserver: set_ssl_option: cannot
open /mega/turbo/store/web_server_cert.pem: error:0200100D:system
library:fopen:Permission denied
{noformat}
The actual issue is how the error reported by the OpenSSL library, and since
Kudu relies on the stock system/OS security libraries, fixing the error message
isn't what can be done in Kudu or squeasel webserver itself. However, Kudu
might add a check to similar to gflag validations which are performed during
the startup of Kudu server. It makes sense to add a validator to verify that
the private key file and the server certificate files for the embedded Web
server are readable.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
