Skip to main content

SSO with OIDC provider fails with "unable to find valid certification path to requested target"

  • Updated

Summary

Dremio Single Sign-On (SSO) with OIDC fails due to a certificate trust problem, as indicated by SSLHandshakeException: PKIX path building failed errors in the logs. The error arises before actual authentication, preventing communication with the ID provider over HTTPS.

Reported Issue

After configuring Dremio for Single Sign-On (SSO) using an OpenID Connect (OIDC) identity provider, SSO login fails. The Dremio coordinator application logs (server.log) show the following error:

2025-02-11 18:33:31,473 [qtp1326369820-262] ERROR c.d.j.u.OpenIdConfigurationProvider - Failed to read OpenId config by issuer https://<OIDC-ID-provider-hostname>/oauth2/default
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:366)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:304)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
        ...

In this error message <OIDC-ID-provider-hostname> will vary depending on your ID providers hostname.

Relevant Versions

All supported Dremio software releases.

Troubleshooting Steps

Check the Dremio coordinator application logs (server.log) for the aforementioned error. This error will likely appear before any attempts to authenticate are made. An actual authentication attempt may show more ambiguous error, like this:

2025-02-10 05:57:09,196 [qtp1050996694-346] ERROR c.d.d.server.GenericExceptionMapper - Unexpected exception when processing GET https://<dremio-hostnam>:9047/apiv2/login/sso/?redirect=%2Flogin%2Fsso%3Fredirect%3D%252F : java.lang.NullPointerException
java.lang.NullPointerException: null
        at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:906)
        at com.dremio.extusr.oauth.OAuthServiceImpl.getAuthorizationUrl(OAuthServiceImpl.java:493)
        at com.dremio.extusr.oauth.OAuthServiceImpl.startAuthorization(OAuthServiceImpl.java:174)
        at com.dremio.extusr.oauth.OAuthServiceImpl.startAuthorization(OAuthServiceImpl.java:159)
        at com.dremio.dac.resource.EnterpriseSSOResource.start(EnterpriseSSOResource.java:80)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at com.dremio.dac.server.EnterpriseContextualizedResourceMethodInvocationHandlerProvider.lambda$create$0(EnterpriseContextualizedResourceMethodInvocationHandlerProvider.java:55)
        at com.dremio.context.RequestContext.call(RequestContext.java:121)
        at com.dremio.dac.server.EnterpriseContextualizedResourceMethodInvocationHandlerProvider.lambda$create$1(EnterpriseContextualizedResourceMethodInvocationHandlerProvider.java:55)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:146)
        ...

Cause

Generally, the ID provider service will be accessed via encrypted (SSL/TLS) endpoints. In the example error, you can see this indicated by the https scheme for the issuer endpoint. Dremio will need a corresponding public key certificate in it's trust store to verify the provider host. 

Steps to Resolve

Add a public key certificate to the trust store.

The main Dremio service is a Java application, so the default trust store is usually found at $JAVA_HOME/lib/security/cacerts.

Otherwise, a non-default trust store is specified in dremio.conf with the following properties:

javax.net.ssl.trustStoreType: "type" # optional; default: JKS
javax.net.ssl.trustStore: "path/to/truststore/jks/file"
javax.net.ssl.trustStorePassword: "trustStorePassword"

Tips & Tricks

All TLS-enabled services to which Dremio connects as a client will need a corresponding certificate in the trust store. This includes data sources, identity providers for authentication and directory services. For data sources, options to trust any certificate can be added to the source connection configuration instead of adding the certificate to the trust store. The specific options to do this depend on the source type.

Additional Resources

Configuring Dremio for SSO with OpenID Connect identity providers

Dremio Wire Encryption

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles