Unable to connect Supersets to Trino with LDAP enabled.
CollinKendor opened this issue · 22 comments
CollinKendor commented
Hi,
We have a Trino instance with LDAP and HTTPS enabled but we can't seem to get Superset to connect with our Trino instance.
What we did:
- Install sqlalchemy-trino into Python Virtual Machine: pip install sqlalchemy-trino
- Launch Superset and add a new database using the following connection string: trino://:@192.168.X.X:443/postgresql/public
The error message we keep getting in the log is as follows:
[2021-02-25 20:00:00 +0800] [240613] [WARNING] Error sending message to statsd
Traceback (most recent call last):
File "/root/superset_env/env/lib/python3.8/site-packages/gunicorn/instrument/statsd.py", line 127, in _sock_send
self.sock.send(msg)
ConnectionRefusedError: [Errno 111] Connection refused
We confirmed the following:
- Username and password we use is able to log in to Trino.
- Port 443 is open in Superset server to Trino server.
We can't find much documentations online for this issue.
dungdm93 commented
Hello @CollinKendor
Your error message has very little information (only Connection refused). In order to me figure out what happen, could you run this code in your environment:
~$ python
>>> from sqlalchemy import create_engine
>>> from sqlalchemy.sql import text
>>> engine = create_engine('trino://<user>:<pass>@192.168.X.X:443/postgresql/public')
>>> conn = engine.connect()
>>> res = conn.execute(text("SHOW SCHEMAS")).fetchall()
>>> print(res)CollinKendor commented
Hi @dungdm93 ,
Sorry wasn't too familiar with sqlalchemy in general so was not sure how to get the stacktrace. Below is the error after the engine.connect() line:
CollinKendor commented
It seems like the SSL cert can't be verified.
CollinKendor commented
This is without LDAP and HTTPS:
[root@superset ~]# python
Python 3.8.7 (default, Feb 11 2021, 01:37:18)
[GCC 8.3.1 20191121 (Red Hat 8.3.1-5)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from sqlalchemy import create_engine
>>> from sqlalchemy.sql import text
>>> engine = create_engine('trino://<username>@192.168.X.X:8080/postgresql/public')
>>> conn = engine.connect()
>>> res = conn.execute(text("SHOW SCHEMAS")).fetchall()
>>> print(res)
[('information_schema',), ('pg_catalog',), ('public',)]
>>>
dungdm93 commented
You could add self-sign CA to your system:
- Debian/Ubuntu:
- Copy your CA to
/usr/local/share/ca-certificates/ sudo update-ca-certificates
- Copy your CA to
- CentOS 6+
- Enable the dynamic CA configuration feature:
sudo update-ca-trust force-enable - Copy your CA to
/etc/pki/ca-trust/source/anchors/ sudo update-ca-trust extract
- Enable the dynamic CA configuration feature:
CollinKendor commented
Hi @dungdm93 ,
Trino uses Java Keystore for HTTPS as stated in their documentation: Java Keystore and Truststore.
So I don't have a CA to copy over to my Superset server. Just a .jks file.
dungdm93 commented
@CollinKendor another way trino://<user>:<pass>@192.168.X.X:443/postgresql/public?verify=/path/to/your/ca.crt
dungdm93 commented
@CollinKendor Yeah, I known. .jks is specific for Java.
In order to other system work, you need to convert your CA into PEM format, and add it into SuperSet nodes as well.
dungdm93 commented
@CollinKendor As far as I know, trino also support Keystore in PEM format
CollinKendor commented
ok I tried the following:
- Convert jks to pem using the following steps: Convert jks to pem
- Then I tried connecting again with the following connection string:
trino://<user>:<pass>@192.168.X.X:443/postgresql/public?verify=/superset/path/cert/keystore.pem - I get the following error:
[root@superset ~]# python
Python 3.8.7 (default, Feb 11 2021, 01:37:18)
[GCC 8.3.1 20191121 (Red Hat 8.3.1-5)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from sqlalchemy import create_engine
>>> from sqlalchemy.sql import text
>>> engine = create_engine('trino://<user>:<pass>@192.168.X.X:443/postgresql/public?verify=/superset/path/cert/keystore.pem')
>>> conn = engine.connect()
/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 192.168.X.X has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
warnings.warn(
/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 192.168.X.X has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
warnings.warn(
/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 192.168.X.X has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
warnings.warn(
Traceback (most recent call last):
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
httplib_response = self._make_request(
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/urllib3/connectionpool.py", line 382, in _make_request
self._validate_conn(conn)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
conn.connect()
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/urllib3/connection.py", line 464, in connect
_match_hostname(cert, self.assert_hostname or server_hostname)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/urllib3/connection.py", line 508, in _match_hostname
match_hostname(cert, asserted_hostname)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/ssl.py", line 420, in match_hostname
raise CertificateError("hostname %r "
ssl.SSLCertVerificationError: ("hostname '192.168.X.X' doesn't match 'KewMann'",)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/urllib3/connectionpool.py", line 755, in urlopen
retries = retries.increment(
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/urllib3/util/retry.py", line 573, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='192.168.X.X', port=443): Max retries exceeded with url: /v1/statement (Caused by SSLError(SSLCertVerificationError("hostname '192.168.X.X' doesn't match 'KewMann'")))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 2263, in connect
return self._connection_cls(self, **kwargs)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 104, in __init__
else engine.raw_connection()
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 2369, in raw_connection
return self._wrap_pool_connect(
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 2336, in _wrap_pool_connect
return fn()
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 304, in unique_connection
return _ConnectionFairy._checkout(self)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 778, in _checkout
fairy = _ConnectionRecord.checkout(pool)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 495, in checkout
rec = pool._do_get()
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/pool/impl.py", line 140, in _do_get
self._dec_overflow()
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/util/langhelpers.py", line 68, in __exit__
compat.raise_(
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/util/compat.py", line 182, in raise_
raise exception
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/pool/impl.py", line 137, in _do_get
return self._create_connection()
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 309, in _create_connection
return _ConnectionRecord(self)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 440, in __init__
self.__connect(first_connect_check=True)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 664, in __connect
pool.dispatch.first_connect.for_modify(
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/event/attr.py", line 314, in exec_once_unless_exception
self._exec_once_impl(True, *args, **kw)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/event/attr.py", line 285, in _exec_once_impl
self(*args, **kw)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/event/attr.py", line 322, in __call__
fn(*args, **kw)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/util/langhelpers.py", line 1406, in go
return once_fn(*arg, **kw)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/engine/strategies.py", line 199, in first_connect
dialect.initialize(c)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/engine/default.py", line 311, in initialize
self.server_version_info = self._get_server_version_info(
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy_trino/dialect.py", line 266, in _get_server_version_info
res = connection.execute(sql.text(query)).first()
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 1011, in execute
return meth(self, multiparams, params)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/sql/elements.py", line 298, in _execute_on_connection
return connection._execute_clauseelement(self, multiparams, params)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 1124, in _execute_clauseelement
ret = self._execute_context(
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 1316, in _execute_context
self._handle_dbapi_exception(
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 1514, in _handle_dbapi_exception
util.raise_(exc_info[1], with_traceback=exc_info[2])
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/util/compat.py", line 182, in raise_
raise exception
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 1276, in _execute_context
self.dialect.do_execute(
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/sqlalchemy/engine/default.py", line 608, in do_execute
cursor.execute(statement, parameters)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/trino/dbapi.py", line 408, in execute
result = self._query.execute()
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/trino/client.py", line 517, in execute
response = self._request.post(self._sql, additional_http_headers)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/trino/client.py", line 339, in post
http_response = self._post(
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/trino/exceptions.py", line 131, in decorated
raise error
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/trino/exceptions.py", line 118, in decorated
result = func(*args, **kwargs)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/requests/sessions.py", line 590, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.X.X', port=443): Max retries exceeded with url: /v1/statement (Caused by SSLError(SSLCertVerificationError("hostname '192.168.X.X' doesn't match 'KewMann'")))
CollinKendor commented
I get the same error after converting the pem file to crt export crt from jks
using openssl pkcs12 -in myapp.p12 -nokeys -out keystore.crt
CollinKendor commented
Interesting, I was able to connect after changing to the following:
[root@superset ~]# python
Python 3.8.7 (default, Feb 11 2021, 01:37:18)
[GCC 8.3.1 20191121 (Red Hat 8.3.1-5)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from sqlalchemy import create_engine
>>> from sqlalchemy.sql import text
>>> import ssl
>>> ssl.match_hostname = lambda cert, hostname: True
>>> engine = create_engine('trino://<user>:<pass>@192.168.X.X:443/postgresql/public?verify=/superset/path/cert/keystore.pem')
>>> conn = engine.connect()
/root/.pyenv/versions/3.8.7/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 192.168.X.X has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
warnings.warn(
>>> res = conn.execute(text("SHOW SCHEMAS")).fetchall()
>>> print(res)
[('information_schema',), ('pg_catalog',), ('public',)]
>>>
CollinKendor commented
Stackoverflow reference here: CertificateError: hostname doesn't match
CollinKendor commented
@dungdm93 I tried adding ?verify=\path\to\cert.pem to the connection string in superset but superset return same error.
CollinKendor commented
You could add self-sign CA to your system:
Debian/Ubuntu:
- Copy your CA to
/usr/local/share/ca-certificates/sudo update-ca-certificatesCentOS 6+
- Enable the dynamic CA configuration feature:
sudo update-ca-trust force-enable- Copy your CA to
/etc/pki/ca-trust/source/anchors/sudo update-ca-trust extract
i have also tried this and it didn't work.
dungdm93 commented
It's because your CA is not valid. Could you give me inspection of your cert:
openssl x509 -in /path/to/cert.pem -text -nooutCollinKendor commented
[root@superset anchors]# openssl x509 -in /etc/pki/ca-trust/source/anchors/trinoCA.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3f:0f:ba:2b:63:3b:58:c4:a7:5a:db:c7:26:f7:20:7e:95:01:86:72
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = MY, ST = Selangor, L = Klang, O = Kewmann, OU = Trino, CN = presto, emailAddress = wong.koklim@kewmann.com
Validity
Not Before: Feb 26 07:32:29 2021 GMT
Not After : Feb 25 07:32:29 2026 GMT
Subject: C = MY, ST = Selangor, L = Klang, O = Kewmann, OU = Trino, CN = presto, emailAddress = wong.koklim@kewmann.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c2:26:9f:55:b4:05:10:1e:1e:0a:22:a9:a3:ec:
30:31:b3:a8:c1:b9:f0:bb:6e:a4:14:25:ab:62:37:
4d:d1:c7:6e:ce:44:63:7e:40:0a:df:39:4a:7a:a0:
19:0f:a7:2d:46:ce:f3:f2:a5:d6:89:73:e3:cd:b3:
19:41:7a:55:ec:99:94:be:c8:c8:bd:eb:fc:5b:33:
54:52:45:da:41:95:60:d3:77:ba:55:c6:7e:ee:d0:
e0:1c:fd:5f:17:b6:bc:39:83:fd:84:ab:67:b8:a2:
48:63:10:5f:a2:7d:57:fb:f5:e1:96:86:df:54:c0:
06:3a:5a:cb:99:51:b7:c6:7f:33:87:37:13:8b:d3:
e1:f0:dc:f8:9f:8a:71:40:a3:55:6c:90:54:57:83:
f3:0d:49:aa:d5:d7:c8:34:18:e3:24:99:54:7a:61:
0a:62:91:80:7a:2f:9d:0a:78:2b:06:5a:ae:d7:6f:
a9:4d:56:55:5c:d3:bb:3b:c3:56:12:20:47:95:43:
3d:71:f6:53:c3:80:49:33:03:80:99:ab:64:7d:5f:
95:a0:84:10:00:ed:08:9c:59:85:ce:8d:77:be:7e:
36:a7:ca:ed:61:5d:e7:da:57:dc:36:24:22:c6:47:
f5:d2:9a:56:f4:10:4f:e1:3a:19:a8:5a:66:28:9e:
d3:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
94:8B:59:18:FC:C1:DF:12:37:CB:A7:61:90:5F:BA:5F:34:A2:EA:2D
X509v3 Authority Key Identifier:
keyid:94:8B:59:18:FC:C1:DF:12:37:CB:A7:61:90:5F:BA:5F:34:A2:EA:2D
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
4d:4e:5f:11:30:f5:ab:16:9e:ea:05:90:e7:2a:af:61:92:13:
27:73:60:3e:78:fe:69:16:2d:d6:d4:24:ad:cf:31:e2:23:c8:
98:54:4a:73:6b:cd:f6:30:45:c7:e5:6d:bc:d6:19:8e:95:5b:
96:e3:f2:cd:e8:91:dd:be:4d:06:5f:70:bb:01:db:22:17:85:
d9:d4:88:a4:3a:76:8a:8a:63:08:aa:16:14:cb:db:36:9e:ff:
b8:c7:d0:d4:45:92:f1:33:75:81:45:6b:aa:44:50:03:d5:7e:
70:95:41:6c:f4:60:b5:71:05:a0:f3:81:90:4a:f5:5b:8c:53:
e9:2f:d8:9c:b1:1a:ec:a8:5c:53:96:5e:f3:5f:ed:8b:4c:fe:
73:11:4d:50:2e:5b:8e:89:ec:36:1f:5f:82:d9:35:60:28:fa:
01:ad:95:8c:4f:55:38:1e:c7:2d:b9:77:ee:50:38:99:47:79:
31:21:f4:37:b5:7e:69:8f:62:47:2d:85:7d:8b:cd:3c:82:7d:
4a:33:ef:be:c7:e7:4b:6e:6b:eb:8c:c6:e4:d2:ec:c2:57:03:
cf:1d:d6:13:1e:64:5c:ef:0f:50:06:7c:01:53:eb:4c:d3:20:
0d:b6:4a:08:4f:7d:22:7c:50:cf:b9:f6:b0:78:c8:63:17:25:
ca:48:ea:80
dungdm93 commented
@CollinKendor your cert only has Commons Name (CN = presto) and no Subject Alternative Name (SAN).
Both don't match with your endpoint, which is 192.168.X.X
So, please re-create an other cert contains your IP 192.168.X.X in either CN or SAN.
P/S: I prefer using domain instead of IP
CollinKendor commented
P/S: I prefer using domain instead of IP
yes but I am not provided with a domain which I can use so unfortunately I need to use IP.
below is the new cert:
[root@superset env]# openssl x509 -in /etc/pki/ca-trust/source/anchors/trinoCA.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
50:f6:12:f4:f4:2e:bb:c8:a0:b9:8c:6c:51:f3:a0:20:b7:83:c6:6f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = MY, ST = Selangor, L = Klang, O = Kewmann, OU = Trino, CN = 192.168.X.X, emailAddress = wong.koklim@kewmann.com
Validity
Not Before: Feb 26 10:23:19 2021 GMT
Not After : Feb 25 10:23:19 2026 GMT
Subject: C = MY, ST = Selangor, L = Klang, O = Kewmann, OU = Trino, CN = 192.168.X.X, emailAddress = wong.koklim@kewmann.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c2:26:9f:55:b4:05:10:1e:1e:0a:22:a9:a3:ec:
30:31:b3:a8:c1:b9:f0:bb:6e:a4:14:25:ab:62:37:
4d:d1:c7:6e:ce:44:63:7e:40:0a:df:39:4a:7a:a0:
19:0f:a7:2d:46:ce:f3:f2:a5:d6:89:73:e3:cd:b3:
19:41:7a:55:ec:99:94:be:c8:c8:bd:eb:fc:5b:33:
54:52:45:da:41:95:60:d3:77:ba:55:c6:7e:ee:d0:
e0:1c:fd:5f:17:b6:bc:39:83:fd:84:ab:67:b8:a2:
48:63:10:5f:a2:7d:57:fb:f5:e1:96:86:df:54:c0:
06:3a:5a:cb:99:51:b7:c6:7f:33:87:37:13:8b:d3:
e1:f0:dc:f8:9f:8a:71:40:a3:55:6c:90:54:57:83:
f3:0d:49:aa:d5:d7:c8:34:18:e3:24:99:54:7a:61:
0a:62:91:80:7a:2f:9d:0a:78:2b:06:5a:ae:d7:6f:
a9:4d:56:55:5c:d3:bb:3b:c3:56:12:20:47:95:43:
3d:71:f6:53:c3:80:49:33:03:80:99:ab:64:7d:5f:
95:a0:84:10:00:ed:08:9c:59:85:ce:8d:77:be:7e:
36:a7:ca:ed:61:5d:e7:da:57:dc:36:24:22:c6:47:
f5:d2:9a:56:f4:10:4f:e1:3a:19:a8:5a:66:28:9e:
d3:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
94:8B:59:18:FC:C1:DF:12:37:CB:A7:61:90:5F:BA:5F:34:A2:EA:2D
X509v3 Authority Key Identifier:
keyid:94:8B:59:18:FC:C1:DF:12:37:CB:A7:61:90:5F:BA:5F:34:A2:EA:2D
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
13:31:43:ed:bf:96:d7:bf:0b:24:c5:fd:4e:61:f7:96:f0:25:
80:ff:c7:d4:8b:69:05:5b:8e:92:61:94:ee:8b:2d:05:c2:da:
f0:aa:c0:2c:22:63:96:61:d4:7b:01:99:8e:8c:c4:55:bd:55:
2d:e6:7d:60:75:a7:62:61:dd:98:1c:28:dc:1b:09:20:e3:08:
b9:0a:5b:6f:74:01:31:a4:71:7c:75:c2:b7:40:e6:0a:bb:6a:
bc:eb:c2:be:69:dd:81:1d:69:3c:38:43:2c:78:09:e5:bc:f7:
9c:76:ff:d4:b1:ad:a4:dd:c0:a1:3d:54:6a:68:1d:78:4c:3f:
80:db:dd:90:a2:e5:da:19:40:23:fc:e6:ed:5c:8e:a8:10:1d:
74:aa:1f:b3:09:db:d2:f4:75:e6:6f:e8:ae:4d:c2:55:8a:29:
bd:09:08:1a:38:40:76:72:23:c1:ca:fd:06:8e:aa:17:57:f6:
d1:75:a7:24:45:44:61:45:1b:45:b3:da:17:8a:8e:9f:1f:fc:
ad:90:ae:92:52:aa:94:2c:59:ae:e3:9f:d0:2d:55:c8:ee:71:
5d:81:8f:c0:f0:35:2c:fe:ef:6e:f0:ab:02:c1:80:c5:ef:7c:
64:17:0b:c5:24:f9:09:4c:1d:71:e3:5b:81:b9:2a:25:3c:c5:
8b:25:f8:b4
which I have also added to superset server. I restarted the superset and tested again and got the same error message.
dungdm93 commented
@CollinKendor my mistake, IP address MUST be included in the Subject Alternative Name (SAN)
Use could also use some local domain like trino.local and put it into /etc/hosts
CollinKendor commented
Sorry just curious, do I need to specify the cert in gunicorn?
dungdm93 commented
Your cert is used by superset (as client) connect to trino. If you do not want to access to superset via HTTPS then no need to specify the cert in gunicorn.
P/S: And note that, superset's cert and trino's cert might different.