Doris3.0.4使用paimon catalog连接带ssl证书的s3报错

Question

创建catalog ddl：
CREATE CATALOG paimon_s3 PROPERTIES (
"warehouse" = "s3://dataplat-dev/",
"type" = "paimon",
"s3.secret_key" = "*XXX",
"s3.region" = "us-east-1",
"s3.endpoint" = "https://172.16.7.131:9000",
"s3.access_key" = "xxx",
"paimon.s3.paging.maximum" = "1000",
"paimon.s3.list.version" = "1",
"metadata_refresh_interval_sec" = "60"
);

连接时报错：
org.jkiss.dbeaver.model.sql.DBSQLException: SQL 错误 [1105] [HY000]: UncheckedIOException, msg: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.jkiss.dbeaver.model.impl.jdbc.exec.JDBCStatementImpl.executeStatement(JDBCStatementImpl.java:133)
at org.jkiss.dbeaver.ui.editors.sql.execute.SQLQueryJob.executeStatement(SQLQueryJob.java:583)
at org.jkiss.dbeaver.ui.editors.sql.execute.SQLQueryJob.lambda$1(SQLQueryJob.java:492)
at org.jkiss.dbeaver.model.exec.DBExecUtils.tryExecuteRecover(DBExecUtils.java:190)
at org.jkiss.dbeaver.ui.editors.sql.execute.SQLQueryJob.executeSingleQuery(SQLQueryJob.java:499)
at org.jkiss.dbeaver.ui.editors.sql.execute.SQLQueryJob.extractData(SQLQueryJob.java:947)
at org.jkiss.dbeaver.ui.editors.sql.SQLEditor$QueryResultsContainer.readData(SQLEditor.java:4100)
at org.jkiss.dbeaver.ui.controls.resultset.ResultSetJobDataRead.lambda$0(ResultSetJobDataRead.java:123)
at org.jkiss.dbeaver.model.exec.DBExecUtils.tryExecuteRecover(DBExecUtils.java:190)
at org.jkiss.dbeaver.ui.controls.resultset.ResultSetJobDataRead.run(ResultSetJobDataRead.java:121)
at org.jkiss.dbeaver.ui.controls.resultset.ResultSetViewer$ResultSetDataPumpJob.run(ResultSetViewer.java:5164)
at org.jkiss.dbeaver.model.runtime.AbstractJob.run(AbstractJob.java:105)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
Caused by: java.sql.SQLException: UncheckedIOException, msg: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:129)
at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)
at com.mysql.cj.jdbc.StatementImpl.executeInternal(StatementImpl.java:763)
at com.mysql.cj.jdbc.StatementImpl.execute(StatementImpl.java:648)
at org.jkiss.dbeaver.model.impl.jdbc.exec.JDBCStatementImpl.execute(JDBCStatementImpl.java:330)
at org.jkiss.dbeaver.model.impl.jdbc.exec.JDBCStatementImpl.executeStatement(JDBCStatementImpl.java:131)
... 12 more

阿渊@SelectDB · Answer

大佬加我主页微信我们一起看看吧。

得取fe.log的详细堆栈来看，这个报错看着都是 dbeaver 返回的一些信息，看不出啥

yezinong · Answer

好的。我们想过用paimon catalog的相关参数来禁用ssl校验，但试了多个参数都不生效，官方文档也确实没找到这方面的参数配置说明。包括paimon官方文档也找了好久没找到这块的说明。

网上也能查到starrocks的官方文档中有参数可以禁用ssl的："aws.s3.enable_ssl" = "false"。

另外，将s3的ssl证书导入到doris主机的cacerts库这条路也验证过，有的环境可以，有的生产环境有些不明原因导致就不行。所以优先还是希望像starrocks或者别的工具那样，可以有参数配置直接禁用掉ssl校验。

fe的日志如下：

2025-06-04 09:41:51,848 WARN (mysql-nio-pool-991|197) [StmtExecutor.executeByLegacy():1159] execute Exception. stmt[545494, 5bed9dc372a14bbb-9e16181f0917a64d]
java.io.UncheckedIOException: org.apache.hadoop.fs.s3a.AWSClientIOException: getFileStatus on s3://dataplat-dev/user.sys: com.amazonaws.SdkClientException: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.apache.paimon.privilege.FileBasedPrivilegeManager.getTable(FileBasedPrivilegeManager.java:371) ~[paimon-core-0.8.1.jar:0.8.1]
at org.apache.paimon.privilege.FileBasedPrivilegeManager.getUserTable(FileBasedPrivilegeManager.java:352) ~[paimon-core-0.8.1.jar:0.8.1]
at org.apache.paimon.privilege.FileBasedPrivilegeManager.privilegeEnabled(FileBasedPrivilegeManager.java:118) ~[paimon-core-0.8.1.jar:0.8.1]
at org.apache.paimon.catalog.FileSystemCatalogFactory.create(FileSystemCatalogFactory.java:55) ~[paimon-core-0.8.1.jar:0.8.1]
at org.apache.paimon.catalog.CatalogFactory.createCatalog(CatalogFactory.java:95) ~[paimon-core-0.8.1.jar:0.8.1]
at org.apache.paimon.catalog.CatalogFactory.createCatalog(CatalogFactory.java:66) ~[paimon-core-0.8.1.jar:0.8.1]
at org.apache.doris.datasource.paimon.PaimonExternalCatalog.createCatalogImpl(PaimonExternalCatalog.java:164) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.datasource.paimon.PaimonExternalCatalog.lambda$createCatalog$4(PaimonExternalCatalog.java:156) ~[doris-fe.jar:1.2-SNAPSHOT]
at java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?]
at javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?]
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1899) ~[hadoop-common-3.3.6.jar:?]
at org.apache.doris.common.security.authentication.HadoopAuthenticator.doAs(HadoopAuthenticator.java:31) ~[fe-common-1.2-SNAPSHOT.jar:1.2-SNAPSHOT]
at org.apache.doris.datasource.paimon.PaimonExternalCatalog.createCatalog(PaimonExternalCatalog.java:149) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.datasource.paimon.PaimonFileExternalCatalog.initLocalObjectsImpl(PaimonFileExternalCatalog.java:45) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.datasource.ExternalCatalog.initLocalObjects(ExternalCatalog.java:307) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.datasource.ExternalCatalog.makeSureInitialized(ExternalCatalog.java:270) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.datasource.ExternalCatalog.getDbNames(ExternalCatalog.java:573) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.qe.ShowExecutor.handleShowDb(ShowExecutor.java:932) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.qe.ShowExecutor.execute(ShowExecutor.java:323) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.qe.StmtExecutor.handleShow(StmtExecutor.java:2937) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.qe.StmtExecutor.executeByLegacy(StmtExecutor.java:1121) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.qe.StmtExecutor.execute(StmtExecutor.java:642) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.qe.StmtExecutor.queryRetry(StmtExecutor.java:572) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.qe.StmtExecutor.execute(StmtExecutor.java:562) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.qe.ConnectProcessor.executeQuery(ConnectProcessor.java:347) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.qe.ConnectProcessor.handleQuery(ConnectProcessor.java:250) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.qe.MysqlConnectProcessor.handleQuery(MysqlConnectProcessor.java:209) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.qe.MysqlConnectProcessor.dispatch(MysqlConnectProcessor.java:237) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.qe.MysqlConnectProcessor.processOnce(MysqlConnectProcessor.java:417) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.mysql.ReadListener.lambda$handleEvent$0(ReadListener.java:52) ~[doris-fe.jar:1.2-SNAPSHOT]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[?:?]
at java.lang.Thread.run(Thread.java:833) ~[?:?]

Doris3.0.4使用paimon catalog连接带ssl证书的s3报错

2 Answers