I was looking at these configuration instructions, “ENABLING TLS FOR DREMIO UI ON AZURE”.
https://docs.dremio.com/deployment/azure/azure-ssl/
I noticed that there is no mention whatsoever of intermediate certificates. I know from experience that LetsEncrypt, which is the specific provider used in the example, relies on an intermediate cert. If you don’t provide that intermediate to a server, then your SSL is misconfigured, and clients will not be able to connect without either 1) disabling SSL verification or 2) adding the intermediate certificate to their trust store. Neither of those things should be necessary, because it’s the server’s responsibility to serve the intermediate along with the main.
If you do add the intermediate certificate, and the server delivers it over the connection like it should, then the downstream client automatically trusts your connection, because it can verify the full chain itself from the main, through the certificate, and finally to the root which it will already have in its trust store.
For LetsEncrypt in particular, I believe you can remedy this by including the fullchain.pem file in the keystore instead of cert.pem; i.e.
PASSWORD=yourpassword
LETSENCRYPT_BASE=/etc/letsencrypt/live
DREMIO_DATA_DIR=/var/lib/dremio
openssl pkcs12 -export \
-inkey $LETSENCRYPT_BASE/$FQDN/privkey.pem \
-in $LETSENCRYPT_BASE/$FQDN/fullchain.pem \
-out $DREMIO_DATA_DIR/store.pkcs12 \
-passout pass:$PASSWORD
chown dremio:dremio $DREMIO_DATA_DIR/store.pkcs12
For other certificate providers you may have to create the combined file yourself; e.g.
cat cert.pem intermediate.pem > fullchain.pem
Can anyone with experience working with SSL certs and Dremio comment here? Is there something I am missing? This is actually a somewhat common SSL mistake to make, so I’m not super surprised to see it. GoDaddy, for instance, also uses an intermediate, and it talks about that here: