Dremio configuration with intermediate SSL certificates

I was looking at these configuration instructions, “ENABLING TLS FOR DREMIO UI ON AZURE”.


I noticed that there is no mention whatsoever of intermediate certificates. I know from experience that LetsEncrypt, which is the specific provider used in the example, relies on an intermediate cert. If you don’t provide that intermediate to a server, then your SSL is misconfigured, and clients will not be able to connect without either 1) disabling SSL verification or 2) adding the intermediate certificate to their trust store. Neither of those things should be necessary, because it’s the server’s responsibility to serve the intermediate along with the main.

If you do add the intermediate certificate, and the server delivers it over the connection like it should, then the downstream client automatically trusts your connection, because it can verify the full chain itself from the main, through the certificate, and finally to the root which it will already have in its trust store.

For LetsEncrypt in particular, I believe you can remedy this by including the fullchain.pem file in the keystore instead of cert.pem; i.e.

openssl pkcs12 -export \
    -inkey $LETSENCRYPT_BASE/$FQDN/privkey.pem \
    -in $LETSENCRYPT_BASE/$FQDN/fullchain.pem \
    -out $DREMIO_DATA_DIR/store.pkcs12 \
    -passout pass:$PASSWORD 
chown dremio:dremio $DREMIO_DATA_DIR/store.pkcs12

For other certificate providers you may have to create the combined file yourself; e.g.

cat cert.pem intermediate.pem > fullchain.pem

Can anyone with experience working with SSL certs and Dremio comment here? Is there something I am missing? This is actually a somewhat common SSL mistake to make, so I’m not super surprised to see it. GoDaddy, for instance, also uses an intermediate, and it talks about that here: