I've currently set up a classic AWS loadbalancer with an SSL listener and a public certificate issued through AWS certificate manager, e.g. query.mydomain. This redirects to a HiveServer2/Thrift instance.
I'm connecting to the public endpoint using beeline like this:
beeline -u "jdbc:hive2://query.mydomain:10100/default;ssl=true" -n <username> -p <password> --verbose=true -d org.apache.hive.jdbc.HiveDriver
For some reason, the client complains about the hostname of the load balancer instance not being present in the certificate.
dig +short query.mydomain @resolver1.opendns.com
13.54.30.146
13.54.75.233
3.106.25.71
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching ec2-13-54-30-146.ap-southeast-2.compute.amazonaws.com found.
at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:212)
at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:452)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:412)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:238)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
... 46 more
Why is it expecting the loadbalancer instance hostname to be in the certificate? Am I doing something wrong?
