Certificate validation issue in Docker container Java version - error attempting to add new MS SQL Server source


One of our MS SQL Server boxes has a cert using RSASSA-PSS as the signature algorithm. The version of Java included in the docker image we’re using (dremio-oss:3.1.6) is OpenJDK 1.80_181 which doesn’t appear to have compatibility for RSASSA-PSS certs. It looks like Java 11 has a fix, and there was discussion about backporting, but I don’t see that it ever happened.

Do the newer Docker images still use Java 8 and, if so, are there recommended existing methods for updating to a newer version or does the cert and its dependencies need to be rebuilt?



The Dremio logs at the failure
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1127) ~[na:1.8.0_181]
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1051) ~[na:1.8.0_181]
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:993) ~[na:1.8.0_181]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1615) ~[na:1.8.0_181]
… 31 common frames omitted
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: 1.2.840.113549.1.1.10
at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:278) ~[na:1.8.0_181]
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1123) ~[na:1.8.0_181]
… 34 common frames omitted

Current Build

Community Edition

Our current image is still based on Java 8 for now and we do not recommend yet to update to a new version.

Okay, I’ll relay the information. Thank you.