I setup my gpfdist to use SSL certs and am seeing these errors when testing with wget:
[gpadmin@greenie gpseg-1]$ wget https://dblaxt08.unx.sas.com:8080/dbtab.dat
--2024-11-14 15:05:08-- https://dblaxt08.unx.sas.com:8080/dbtab.dat
Resolving dblaxt08.unx.sas.com (dblaxt08.unx.sas.com)... 10.24.8.125
Connecting to dblaxt08.unx.sas.com (dblaxt08.unx.sas.com)|10.24.8.125|:8080... connected.
GnuTLS: A TLS fatal alert has been received.
GnuTLS: received alert [40]: Handshake failed
Unable to establish SSL connection.
gpfdist -p 8080 -l /dbi/odbc/tmp/gpfdist_rh7_t08_8080_log.txt -d /dbi/odbc/tmp --ssl /etc/init.d/ssl_certs
I followed this document: https://docs.vmware.com/en/VMware-Greenplum/7/greenplum-database/admin_guide-external-g-gpfdists-protocol.html
Here are my certs that I created:
[root@dblaxt08 ~]# ls -al /etc/init.d/ssl_certs
-rw-r--r-- 1 root root 1484 Nov 1 13:02 root.crt
-rw-r--r-- 1 root root 1679 Nov 1 13:00 root.key
-rw-r--r-- 1 root root 17 Nov 1 13:06 root.srl
-rw-r--r-- 1 root root 1367 Nov 1 13:06 server.crt
-rw-r--r-- 1 root root 1143 Nov 1 13:05 server.csr
-rw------- 1 root root 1675 Nov 1 13:03 server.key
On the segment servers I have created the gpfdists directory with certificates in all of the $PGDATA/gpfdists directories.
Is my $PGDATA directory correct? Or which directory should this be?
Any help or suggestions would be great.
For example,
[gpadmin@greenie1 gpfdists]$ ls -al /data2/mirror/gpseg21/gpfdists
-rw------- 1 gpadmin gpadmin 1383 Nov 4 16:42 client.crt
-rw------- 1 gpadmin gpadmin 1143 Nov 4 16:42 client.csr
-rw------- 1 gpadmin gpadmin 1704 Nov 4 16:42 client.key
-rw------- 1 gpadmin gpadmin 1505 Nov 4 16:42 root.crt
-rw------- 1 gpadmin gpadmin 1874 Nov 4 16:42 root.key
-rw------- 1 gpadmin gpadmin 41 Nov 4 16:42 root.srl
The settings of the verify_gpfdists_cert server configuration parameter (default value true
) and the gpfdist --ssl_verify_peer <boolean>
option (default value on
) control whether SSL certificate authentication is enabled when Greenplum Database communicates with the gpfdist
utility to either read data from or write data to an external data source. These settings also determine which of the following certificate files must reside in the $PGDATA/gpfdists
directory on each Greenplum Database segment: