No Certificate Is Available When PrestoJDBCExample Run on a Node Outside the Cluster

Updated on 2022-09-14 GMT+08:00

View PDF

Question

The presto-examples-1.0-SNAPSHOT-jar-with-dependencies.jar file is running properly on nodes in the cluster. However, no certificate is available when PrestoJDBCExample runs on a node outside the cluster to connect to the cluster with Kerberos authentication enabled, the following error message is displayed:

java.sql.SQLException: Error executing query
        at
com.facebook.presto.jdbc.PrestoStatement.internalExecute(PrestoStatement.java:274)
        at com.facebook.presto.jdbc.PrestoStatement.execute(PrestoStatement.java:227)
        at
com.facebook.presto.jdbc.PrestoStatement.executeQuery(PrestoStatement.java:76)
        at
PrestoJDBCExample.main(PrestoJDBCExample.java:65)
Caused by: java.io.UncheckedIOException:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
        at
com.facebook.presto.jdbc.internal.client.JsonResponse.execute(JsonResponse.java:154)
        at
com.facebook.presto.jdbc.internal.client.StatementClientV1.<init>(StatementClientV1.java:129)
        at
com.facebook.presto.jdbc.internal.client.StatementClientFactory.newStatementClient(StatementClientFactory.java:24)
        at
com.facebook.presto.jdbc.QueryExecutor.startQuery(QueryExecutor.java:46)
        at
com.facebook.presto.jdbc.PrestoConnection.startQuery(PrestoConnection.java:683)
        at
com.facebook.presto.jdbc.PrestoStatement.internalExecute(PrestoStatement.java:239)
        ... 3 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
        at
sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at
sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
        at
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
        at
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
        at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
        at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
        at
sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
        at
sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
        at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
        at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
        at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
        at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:318)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:282)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.connection.RealConnection.connect(RealConnection.java:167)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:257)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:126)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at
com.facebook.presto.jdbc.internal.client.SpnegoHandler.intercept(SpnegoHandler.java:109)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at
com.facebook.presto.jdbc.internal.client.OkHttpUtil.lambda$userAgent$0(OkHttpUtil.java:77)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at
com.facebook.presto.jdbc.internal.okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at
com.facebook.presto.jdbc.internal.okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200)
        at
com.facebook.presto.jdbc.internal.okhttp3.RealCall.execute(RealCall.java:77)
        at
com.facebook.presto.jdbc.internal.client.JsonResponse.execute(JsonResponse.java:131)
        ... 8 more
Caused by: sun.security.validator.ValidatorException: PKIX
path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
        at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
        at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
        at
sun.security.validator.Validator.validate(Validator.java:260)
        at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
        at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
        at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
        ... 41 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
        at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
        ... 47 more

Answer

When the HTTPS protocol is used to connect to the security cluster, the server certificate is not authenticated. As a result, the connection fails.

You can replace the cacerts file in the java jdk directory on the current node with the cacerts file (for example, /opt/Bigdata/jdk1.8.0_232/jre/lib/security/cacerts) in the java jdk directory on a node in the cluster.

Parent topic: FAQs

Previous topic: FAQs

Next topic: When a Node Outside a Cluster Is Connected to a Cluster with Kerberos Authentication Enabled, HTTP Cannot Find the Corresponding Record in the Kerberos Database