[druid-user] Security exception when migrating from 0.18.1 to 0.20.0

Hi,

We are migrating from version 0.18.1 to 0.20.0. During this process we are receiving a security certificate exception which seems to be related to the latest java version(1.8.0_275-b01) being used. On falling back to a previous version(1.8.0_262-b10) the issue seems to be resolved.

Is there any hard dependency on any particular version of Java for Druid 0.20.0 or any other known vulnerabilities which are causing this kind of an exception?

Exception:

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching

Any pointers for this issue would be really helpful.

Regards,
Diganta.

I’m not aware of any - and I did a quick scan of the detailed change lists between 0.18.1 and 0.20.0 and couldn’t pick out anything obvious:

If memory serves, the SAN in your cert is tied to the host names - could that be the cause?

Thanks for the input Peter.

Your are right about the SAN. The issue comes because of the following check where the SAN has the host name whereas, since the IP is returned by zk during coordinator discovery which is not added as SAN:

[NodeRoleWatcher[COORDINATOR]] org.apache.druid.curator.discovery.CuratorDruidNodeDiscoveryProvider$NodeRoleWatcher - Node[https://<IP>:8281] of role[coordinator] detected.

org.apache.druid.discovery.DruidLeaderClient - Request[https://<ip>:8281/druid-ext/basic-security/authentication/db/MyBasicAuthenticator/cachedSerializedUserMap] failed.
org.jboss.netty.channel.ChannelException: Faulty channel in resource pool
at org.apache.druid.server.security.DefaultTLSCertificateChecker.checkServer(DefaultTLSCertificateChecker.java:52) ~[druid-server-0.20.0.jar:0.20.0]

This is strange because the same cert works fine with the 0.18.1 version we have currently deployed.

Please correct me if my understanding is wrong.

Regards,
Diganta.

Hm I am having to cast my mind back to the days I dealt with SSL a lot hahahah! In the OS, do I remember right that there’s a setting to ignore certificate errors??? … maybe that is turned on in your other cluster? Hm…