Overview
If the auto-generated self-signed SSL certs are used in Dremio, then the user should be aware of which files to remove to get Dremio to renew them.
Relevant Versions
All versions of Dremio
Details
Dremio will generate self-signed certificates if you set theauto-certificate.enabled
parameter to true in thedremio.conf
For example:
services.conduit.auto-certificate.enabled: true
services.fabric.auto-certificate.enabled: true
By default, these are only valid for a year. If a user wishes to re-generate these auto-generated certificates, then deleting the wrong file may cause the following exceptions, both of which will prevent Dremio from starting
In the case of thecerts
file missing:
2022-10-06 15:47:33,995 [main] WARN c.d.exec.rpc.ssl.SSLConfigurator - *** Using generated self-signed SSL settings for server ('conduit' component) ***
Using auto-generated certificates is not secure. Please consider switching to your own certificates.
2022-10-06 15:47:34,002 [main] ERROR ROOT - Dremio is exiting. Failure while starting services.
java.lang.IllegalStateException: null
at com.google.common.base.Preconditions.checkState(Preconditions.java:486)
at com.dremio.exec.rpc.ssl.SSLConfigurator.moveTrustStoreIfNecessary(SSLConfigurator.java:196)
at com.dremio.exec.rpc.ssl.SSLConfigurator.configureUsingPreviouslyGeneratedStores(SSLConfigurator.java:172)
at com.dremio.exec.rpc.ssl.SSLConfigurator.getSSLConfig(SSLConfigurator.java:134)
at com.dremio.dac.daemon.DACDaemonModule.build(DACDaemonModule.java:476)
at com.dremio.dac.daemon.EnterpriseDACDaemonModule.build(EnterpriseDACDaemonModule.java:293)
at com.dremio.dac.daemon.DACDaemon.<init>(DACDaemon.java:186)
at com.dremio.dac.daemon.DACDaemon.newDremioDaemon(DACDaemon.java:313)
at com.dremio.dac.daemon.DACDaemon.newDremioDaemon(DACDaemon.java:321)
at com.dremio.dac.daemon.DremioDaemon.main(DremioDaemon.java:103)
In the case of thesecurity/keystore
file missing
2022-10-07 09:09:45,276 [main] WARN c.d.exec.rpc.ssl.SSLConfigurator - *** Using generated self-signed SSL settings for server ('conduit' component) ***
Using auto-generated certificates is not secure. Please consider switching to your own certificates.
2022-10-07 09:09:45,279 [main] INFO c.d.exec.rpc.ssl.SSLConfigurator - No previous keystore detected, creating certificate. This operation might take time...
2022-10-07 09:09:46,082 [main] INFO c.d.exec.rpc.ssl.SSLConfigurator - Certificate created (SHA-256 fingerprint: 69:65:5F:2C:07:49:34:0E:76:A9:0B:83:22:48:1B:99:5B:48:00:DE:62:2B:26:5C:FD:A5:98:6A:0B:34:45:5B)
2022-10-07 09:09:46,092 [main] ERROR ROOT - Dremio is exiting. Failure while starting services.
java.lang.RuntimeException: java.nio.file.FileAlreadyExistsException: /Users/mc/dremio/dremio-enterprise-21.4.1-202208161215090222-a8f1d847/data/certs
at com.dremio.dac.daemon.DACDaemonModule.build(DACDaemonModule.java:479)
at com.dremio.dac.daemon.EnterpriseDACDaemonModule.build(EnterpriseDACDaemonModule.java:293)
at com.dremio.dac.daemon.DACDaemon.<init>(DACDaemon.java:186)
at com.dremio.dac.daemon.DACDaemon.newDremioDaemon(DACDaemon.java:313)
at com.dremio.dac.daemon.DACDaemon.newDremioDaemon(DACDaemon.java:321)
at com.dremio.dac.daemon.DremioDaemon.main(DremioDaemon.java:103)
Caused by: java.nio.file.FileAlreadyExistsException: /Users/mc/dremio/dremio-enterprise-21.4.1-202208161215090222-a8f1d847/data/certs
at sun.nio.fs.UnixException.translateToIOException(UnixException.java:88)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214)
at java.nio.file.spi.FileSystemProvider.newOutputStream(FileSystemProvider.java:434)
at java.nio.file.Files.newOutputStream(Files.java:216)
at com.dremio.exec.rpc.ssl.SSLConfigurator.generateCertificatesAndConfigure(SSLConfigurator.java:317)
at com.dremio.exec.rpc.ssl.SSLConfigurator.getSSLConfig(SSLConfigurator.java:137)
at com.dremio.dac.daemon.DACDaemonModule.build(DACDaemonModule.java:476)
... 5 common frames omitted
Cause
When using auto-generated certificates, Dremio will create two files.
<DREMIO HOME>data/security/keystore
<DREMIO HOME>data/certs
Dremio will check for the presence of both files but fail if only one is present.
Workaround
The user must delete both files and restart the Dremio service
Solution
Using self-signed certificates is not generally recommended for a production system. SSL artifacts should be signed by a CSA, controlled, and renewed as part of the customer's own security procedures. The auto-generated self-signed certificates are only intended for testing and ease of use.