justineyster opened a new issue, #20960:
URL: https://github.com/apache/superset/issues/20960
My team is using Trino behind a company firewall and connecting to it using
Superset. When we first set this up, we had some issues getting Superset to
trust the SSL certificate used to access Trino through the firewall, and we
fixed these issues by taking the following two steps:
1) Moved the certificate to `/etc/pki/ca-trust/source/anchors/cert.pem` and
ran `update-ca-trust` during our Docker image build.
2) Added the following to the `secure_extra` section of our database
connection settings in the Superset UI:
```
{ "connect_args": {
"verify": "/etc/pki/ca-trust/source/anchors/cert.pem"
}}
```
These steps fixed the issue for several months, but now we're once again
seeing the following error:
```
Error: HTTPSConnectionPool(host='trino.host.name', port=443): Max retries
exceeded with url: /v1/statement (Caused by
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: self signed certificate in certificate chain
(_ssl.c:1129)')))
```
The certificate gets pulled every time we deploy the image, so it is
definitely still valid. A former team member used the following command from
inside a Superset worker pod to test the certificate:
```
curl https://trino.host.name/v1/info
```
This should throw an error message if there is a problem with the SSL
certificate, however, the output is:
```
{"nodeVersion":{"version":"390"},"environment":"production","coordinator":true,"starting":false,"uptime":"22.65h"}
```
I am wondering if anything has changed on the Superset side that is
interfering with our ability to make this connection. Note that we recently
upgraded from Superset version 1.4.1 to 1.5.1, if that helps. We haven't
upgraded to 2.0.0 yet due to breaking changes. Any hints or debugging tips
would be helpful, as I am quite stuck with debugging this on my own.
#### How to reproduce the bug
1. Connect to Trino from Superset using an SSL certificate as described
above.
### Expected results
Connection is successful.
### Actual results
SSL error.
#### Screenshots
N/A
### Environment
- browser type and version: Chrome
- superset version: `1.5.1`
- python version: `3.9.7`
- node.js version: `14.18.2`
- any feature flags active:
### Checklist
Make sure to follow these steps before submitting your issue - thank you!
- [x] I have checked the superset logs for python stacktraces and included
it here as text if there are any.
- [ ] I have reproduced the issue with at least the latest released version
of superset.
- [x] I have checked the issue tracker for the same issue and I haven't
found one similar.
### Additional context
Python stack trace:
```
Traceback (most recent call last):
File
"/opt/app-root/lib64/python3.9/site-packages/superset/connectors/sqla/models.py",
line 1725, in query
df = self.database.get_df(sql, self.schema, mutator=assign_column_label)
File
"/opt/app-root/lib64/python3.9/site-packages/superset/models/core.py", line
439, in get_df
with closing(engine.raw_connection()) as conn:
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/engine/base.py", line
2369, in raw_connection
return self._wrap_pool_connect(
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/engine/base.py", line
2336, in _wrap_pool_connect
return fn()
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/pool/base.py", line
304, in unique_connection
return _ConnectionFairy._checkout(self)
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/pool/base.py", line
778, in _checkout
fairy = _ConnectionRecord.checkout(pool)
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/pool/base.py", line
495, in checkout
rec = pool._do_get()
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/pool/impl.py", line
241, in _do_get
return self._create_connection()
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/pool/base.py", line
309, in _create_connection
return _ConnectionRecord(self)
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/pool/base.py", line
440, in __init__
self.__connect(first_connect_check=True)
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/pool/base.py", line
664, in __connect
pool.dispatch.first_connect.for_modify(
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/event/attr.py", line
314, in exec_once_unless_exception
self._exec_once_impl(True, *args, **kw)
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/event/attr.py", line
285, in _exec_once_impl
self(*args, **kw)
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/event/attr.py", line
322, in __call__
fn(*args, **kw)
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/util/langhelpers.py",
line 1406, in go
return once_fn(*arg, **kw)
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/engine/strategies.py",
line 199, in first_connect
dialect.initialize(c)
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/engine/default.py",
line 311, in initialize
self.server_version_info = self._get_server_version_info(
File
"/opt/app-root/lib64/python3.9/site-packages/trino/sqlalchemy/dialect.py", line
319, in _get_server_version_info
res = connection.execute(sql.text(query))
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/engine/base.py", line
1011, in execute
return meth(self, multiparams, params)
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/sql/elements.py", line
298, in _execute_on_connection
return connection._execute_clauseelement(self, multiparams, params)
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/engine/base.py", line
1124, in _execute_clauseelement
ret = self._execute_context(
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/engine/base.py", line
1316, in _execute_context
self._handle_dbapi_exception(
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/engine/base.py", line
1514, in _handle_dbapi_exception
util.raise_(exc_info[1], with_traceback=exc_info[2])
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/util/compat.py", line
182, in raise_
raise exception
File
"/opt/app-root/lib64/python3.9/site-packages/sqlalchemy/engine/base.py", line
1276, in _execute_context
self.dialect.do_execute(
File
"/opt/app-root/lib64/python3.9/site-packages/trino/sqlalchemy/dialect.py", line
333, in do_execute
cursor.execute(statement, parameters)
File "/opt/app-root/lib64/python3.9/site-packages/trino/dbapi.py", line
484, in execute
result = self._query.execute()
File "/opt/app-root/lib64/python3.9/site-packages/trino/client.py", line
770, in execute
response = self._request.post(self._sql, additional_http_headers)
File "/opt/app-root/lib64/python3.9/site-packages/trino/client.py", line
468, in post
http_response = self._post(
File "/opt/app-root/lib64/python3.9/site-packages/trino/client.py", line
854, in decorated
raise error
File "/opt/app-root/lib64/python3.9/site-packages/trino/client.py", line
841, in decorated
result = func(*args, **kwargs)
File "/opt/app-root/lib64/python3.9/site-packages/requests/sessions.py",
line 635, in post
return self.request("POST", url, data=data, json=json, **kwargs)
File "/opt/app-root/lib64/python3.9/site-packages/requests/sessions.py",
line 587, in request
resp = self.send(prep, **send_kwargs)
File "/opt/app-root/lib64/python3.9/site-packages/requests/sessions.py",
line 701, in send
r = adapter.send(request, **kwargs)
File "/opt/app-root/lib64/python3.9/site-packages/requests/adapters.py",
line 563, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError:
HTTPSConnectionPool(host='insights-trino.whitewater.ibm.com', port=443): Max
retries exceeded with url: /v1/statement (Caused by
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: self signed certificate in certificate chain
(_ssl.c:1129)')))
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
