DOCS: TLS for trino-cli needs some clarification on how to connect behind LoadBalancer which is doing mTLS termination #24037
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The docs for TLS need some clarification on how to connect to trino in cases where your load balancer is also doing mTLS termination. A conversation with @dain through the trino slack showed that the keystore is really sensitive to the ordering of the keys and we also discovered that the CAcerts must be individually imported if you have a long chain of CAs. In another example we noticed that you can also use a PEM cert of your client cert+key as the keystore, and the chain of CAs as the truststore.
The error that I often saw was:
$ ./trino --server https://example-trino-server.com/ --keystore-path=keystore.jks --keystore-password=admin --user=admin --password Password: trino> show tables; javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetI will open a PR shortly that resolves this part in the docs.
The text was updated successfully, but these errors were encountered: