英文:
Dataricks - Error setting certificate verify locations even though file exists
问题
我遇到了SSL证书的问题,但我无法理解,我不确定是Databricks的文件系统有问题还是curl/证书的工作方式有问题。
我们的应用程序使用API连接到公司内部资源。为了避免“证书链中的自签名证书”问题,我们通过API调用提供了公司公开托管的.crt文件。该应用程序使用Python编写,但为了将其拆解为curl命令,我们在Databricks中使用以下命令:
如您所见,它报告了证书验证位置的问题。但是,该文件确实存在:
在我的本地PC上,在Ubuntu shell中,完全相同的命令(使用--cacert指定.crt文件位置)完全正常工作 - 所以我有点困在这里。这个错误是否可能由文件不在指定位置之外的其他原因触发?例如防火墙问题?Databricks是否可能以特殊方式处理/tmp/路径?还有什么其他调试这个问题的想法吗?
我在stackoverflow上找到了一些相关的帖子,例如this one,但我已经尝试过将.crt文件移动到不同的文件夹或以sudo方式执行curl,但都没有成功。欢迎任何建议或线索。
英文:
I have an issue with SSL certificates that I cannot wrap my head around, and I am unsure whether it is a problem with Databricks' sometimes confusing file system or with the way curl / certificates works.
Our app uses an API to connect to a company-internal resource. To avoid the well-known "self-signed certificate in certificate chain", we provide the companies publicly-hosted .crt file with the API call. The app is in Python, but to break it down to curl commands, we use the following inside Databricks:
As you can see, this complains about certificate verify locations. However, the file definitely does exist:
On my local PC in an Ubuntu shell, the exact same command (with --cacert providing the .crt file location) works perfectly fine - so I am kind of stuck on what to do here. Can this error be triggered by something else then the file not being in the location? E.g. firewall issues? Does Databricks maybe treat the /tmp/ path in a special way? Any ideas to further debug this?
I found some related threads on stackoverflow, e.g. this one, but I already tried moving the .crt file to a different folder or executing curl as sudo, nothing worked. Happy about any suggestions or leads.
答案1
得分: 1
处理这个问题的最佳方法是使用集群或全局初始化脚本将证书安装到系统链中。唯一的注意事项是,您需要将证书颁发机构的SSL证书放在DBFS上,然后将其引用为本地路径 /dbfs/<path-on-dbfs>,这可能在带有Unity Catalog或DBSQL仓库的共享集群上无法正常工作。
我有一个执行此任务并将CA的SSL证书安装到三个位置的初始化脚本示例:
- Linux系统SSL链
- Java信任库
- 由
certifi包提供的Python的SSL链。
英文:
The best way to handle this is to install the certificate into the system chain(s) using the cluster or global init scripts. The only caveat is that you need to put the SSL certificate of your certificate authority on DBFS, and then refer to it as local path /dbfs/<path-on-dbfs>, and this may not work on shared clusters with Unity Catalog or DBSQL warehouses.
I have an example of init script that performs that task and installs CA's SSL certificate into three locations:
-
Linux system SSL chain
-
Java truststore
-
Python's SSL chain provided by
certifipackage.
答案2
得分: 0
这实际上是我们的防火墙与curl的误导性错误消息以及我们的证书下载脚本奇怪的行为相结合造成的问题。
对于任何遇到这个问题的人来说,重要的教训是,“error setting certificate verify location”可能意味着找不到证书,但也可能意味着证书文件无效。我们曾认为证书文件是有效的,因为我们预期如果找到证书但无效会出现不同的错误消息。
在我们的情况下,证书文件实际上是完全空白的。我们公司在过去的某个时候更改了防火墙规则,意外地阻止了与我们的证书服务器的连接,当我们的脚本尝试上个月重新下载证书时,它实际上创建了一个空文件。正如上面提到的,这导致了一个错误消息,使我们认为文件丢失而不是损坏。
英文:
So as it turns out, this was an issue with our firewall in combination with a misleading error message of curl and a weird behavior of our certificate download script.
The key takeaway for anyone stumbling on this is that error setting certificate verify location CAN mean that the certificate was not found, but it can also mean that the certificate file is not valid - which we assumed it was, since we expected a different error message in case the certificate was found but not valid.
In our case, the certificate file was actually completely empty - our company some time in the past changed some firewall rules, accidentally blocking connection to our certificate server, and when our script attempted to re-download the certificate last month, it instead created an empty file - which, as mentioned above, raised an error message that led us to believe the file was missing instead of corrupt.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论