Summary
When using the dremio-admin backup utility, backups can fail with a "unable to find valid certification path to requested target" error. This typically happens if wire encryption (HTTPS) is enabled and the backup utility, acting as a web client, can't verify the SSL/TLS certificate of the Dremio master coordinator.
Reported Issue
Running the dremio-admin backup utility fails with the following error:
Failed to create backup at /opt/dremio/data/backups: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Relevant Versions
All supported Dremio software releases.
Troubleshooting Steps
The error message should be printed to stderr, but if not, check the Dremio admin log files under dremio.log.path. They are named admin_backup_<run-datetime>.log.
Cause
When run in standard mode, the backup utility is a web client of the Dremio daemon on the master coordinator. If you have enabled wire encryption for your Dremio web service, then, like a web browser, the backup utility will connect via HTTPS so the correctly formed SSL/TLS certificates.
Steps to Resolve
Option 1 - Run the backup in local-attach mode, as the system user that runs the Dremio process. Suppose that user is called dremio_svc_user, the command would look like:
$ sudo -u dremio_svc_user dremio-admin backup -d /tmp/dremio-backup -l
Option 2 - Run the backup in standard mode, but set the accept-all allowing the utility to trust any SSL certificate.
$ dremio-admin backup -d /tmp/dremio-backup -a
Option 3 - Update the trust store to include a certificate with a subject name that includes the local host. The details of how to do this depend on your public key infrastructure.