[ https://issues.apache.org/jira/browse/FLINK-9103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Till Rohrmann resolved FLINK-9103. ---------------------------------- Resolution: Fixed Fix Version/s: 1.4.3 1.5.0 Fixed via master: ffb03821ff118b0949d7d42d6b67312ee8732c2b 1.5.0: 688630c6432dd3318936613a3f657f7de475fce7 1.4.3: e76b10d07c657bcf3250ca08b5649c6a242bb01f > SSL verification on TaskManager when parallelism > 1 > ---------------------------------------------------- > > Key: FLINK-9103 > URL: https://issues.apache.org/jira/browse/FLINK-9103 > Project: Flink > Issue Type: Bug > Components: Docker, Network, Security > Affects Versions: 1.4.0 > Reporter: Edward Rojas > Assignee: Edward Rojas > Priority: Major > Fix For: 1.5.0, 1.4.3 > > Attachments: job.log, task0.log > > > In dynamic environments like Kubernetes, the SSL certificates can be > generated to use only the DNS addresses for validation of the identity of > servers, given that the IP can change eventually. > > In this cases when executing Jobs with Parallelism set to 1, the SSL > validations are good and the Jobmanager can communicate with Task manager and > vice versa. > > But with parallelism set to more than 1, SSL validation fails when Task > Managers communicate to each other as it seems to try to validate against IP > address: > Caused by: java.security.cert.CertificateException: No subject alternative > names matching IP address 172.xx.xxx.xxx found > at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168) > at sun.security.util.HostnameChecker.match(HostnameChecker.java:94) > at > sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) > > at > sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) > > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252) > > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) > > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601) > > ... 21 more > > From the logs, it seems the task managers register successfully its full > address to Netty, but still the IP is used. > > Attached pertinent logs from JobManager and a TaskManager. -- This message was sent by Atlassian JIRA (v7.6.3#76005)