From e22fa19196ef293cfaa178fe8f736e59f7f1fb3f Mon Sep 17 00:00:00 2001 From: xuzhenchao <858301076@qq.com> Date: Tue, 16 Jun 2026 03:55:58 +0800 Subject: [PATCH] docs: add system CA cert workaround for Azure Blob/S3 on older Doris versions Add a note in the 'Configure BE CA Certificate for HTTPS' section of Azure Blob and S3 storage docs explaining the system-level CA certificate workaround for Doris versions that do not support the ca_cert_file_paths parameter. The ca_cert_file_paths parameter was introduced: - In Doris 3.1.5 / 4.0.5 for Azure Blob Storage - In Doris 2.1 for S3 Users on older versions (e.g., 4.0.3) encountering 'Problem with the SSL CA cert' errors should install system CA certificates and ensure the bundle exists at /etc/ssl/certs/ca-certificates.crt, then restart BE nodes. Updated all 8 files: current + version-4.x, EN + ZH. Co-Authored-By: Claude --- docs/lakehouse/storages/azure-blob.md | 12 ++++++++++++ docs/lakehouse/storages/s3.md | 12 ++++++++++++ .../current/lakehouse/storages/azure-blob.md | 12 ++++++++++++ .../current/lakehouse/storages/s3.md | 12 ++++++++++++ .../version-4.x/lakehouse/storages/azure-blob.md | 12 ++++++++++++ .../version-4.x/lakehouse/storages/s3.md | 12 ++++++++++++ .../version-4.x/lakehouse/storages/azure-blob.md | 12 ++++++++++++ versioned_docs/version-4.x/lakehouse/storages/s3.md | 12 ++++++++++++ 8 files changed, 96 insertions(+) diff --git a/docs/lakehouse/storages/azure-blob.md b/docs/lakehouse/storages/azure-blob.md index 7c99095fc0da0..1d6e5ac84cd6b 100644 --- a/docs/lakehouse/storages/azure-blob.md +++ b/docs/lakehouse/storages/azure-blob.md @@ -31,6 +31,18 @@ By default, if `ca_cert_file_paths` is not configured, Doris uses the operating - Your environment uses a self-signed certificate, a private CA, or a corporate proxy or gateway that re-signs TLS traffic. - You encounter errors such as `Problem with the SSL CA cert` or `curl 77: Problem with the SSL CA cert (path? access rights?)` when accessing Azure Blob Storage. +> **For versions without `ca_cert_file_paths`:** The `ca_cert_file_paths` parameter is available starting from Doris 3.1.5 and 4.0.5. If you are using an older version and encounter SSL CA certificate errors, you must ensure the system CA certificates are properly installed and the CA bundle exists at `/etc/ssl/certs/ca-certificates.crt`: +> +> - **RHEL / CentOS / RockyLinux:** +> ```bash +> yum install -y ca-certificates +> update-ca-trust +> ln -s /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/ssl/certs/ca-certificates.crt +> ``` +> - **Debian / Ubuntu:** `apt-get install -y ca-certificates` +> +> Then restart all BE nodes. For more details on certificate issues, see [Lakehouse FAQ - Certificate Issues](../../faq/lakehouse-faq.md#certificate-issues). + Example: ```properties diff --git a/docs/lakehouse/storages/s3.md b/docs/lakehouse/storages/s3.md index 5ee2959fc6bba..62b7e9066a9f8 100644 --- a/docs/lakehouse/storages/s3.md +++ b/docs/lakehouse/storages/s3.md @@ -29,6 +29,18 @@ By default, if `ca_cert_file_paths` is not configured, Doris uses the operating - Your environment uses a self-signed certificate, a private CA, or a corporate proxy or gateway that re-signs TLS traffic. - You encounter errors such as `Problem with the SSL CA cert` or `curl 77: Problem with the SSL CA cert (path? access rights?)` when accessing S3. +> **For versions without `ca_cert_file_paths`:** The `ca_cert_file_paths` parameter is available starting from Doris 2.1. If you are using Doris 2.0.x or earlier and encounter SSL CA certificate errors, you must ensure the system CA certificates are properly installed and the CA bundle exists at `/etc/ssl/certs/ca-certificates.crt`: +> +> - **RHEL / CentOS / RockyLinux:** +> ```bash +> yum install -y ca-certificates +> update-ca-trust +> ln -s /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/ssl/certs/ca-certificates.crt +> ``` +> - **Debian / Ubuntu:** `apt-get install -y ca-certificates` +> +> Then restart all BE nodes. For more details on certificate issues, see [Lakehouse FAQ - Certificate Issues](../../faq/lakehouse-faq.md#certificate-issues). + Example: ```properties diff --git a/i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/storages/azure-blob.md b/i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/storages/azure-blob.md index fcd600a16b209..ea97337f82841 100644 --- a/i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/storages/azure-blob.md +++ b/i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/storages/azure-blob.md @@ -31,6 +31,18 @@ - 环境中使用了自签名证书、私有 CA,或者会重签 TLS 流量的企业代理或网关。 - 访问 Azure Blob Storage 时出现 `Problem with the SSL CA cert` 或 `curl 77: Problem with the SSL CA cert (path? access rights?)` 等错误。 +> **对于不支持 `ca_cert_file_paths` 的版本:** `ca_cert_file_paths` 参数自 Doris 3.1.5 和 4.0.5 起可用。如果你使用的是更早的版本并遇到 SSL CA 证书错误,需要确保系统 CA 证书已正确安装,并且 CA 证书包位于 `/etc/ssl/certs/ca-certificates.crt`: +> +> - **RHEL / CentOS / RockyLinux:** +> ```bash +> yum install -y ca-certificates +> update-ca-trust +> ln -s /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/ssl/certs/ca-certificates.crt +> ``` +> - **Debian / Ubuntu:** `apt-get install -y ca-certificates` +> +> 然后重启所有 BE 节点。更多证书相关问题,请参阅 [数据湖 FAQ - 证书问题](../../faq/lakehouse-faq.md#证书问题)。 + 示例: ```properties diff --git a/i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/storages/s3.md b/i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/storages/s3.md index 21a03ae8168fc..4af4065f2ae6c 100644 --- a/i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/storages/s3.md +++ b/i18n/zh-CN/docusaurus-plugin-content-docs/current/lakehouse/storages/s3.md @@ -29,6 +29,18 @@ - 环境中使用了自签名证书、私有 CA,或者会重签 TLS 流量的企业代理或网关。 - 访问 S3 时出现 `Problem with the SSL CA cert` 或 `curl 77: Problem with the SSL CA cert (path? access rights?)` 等错误。 +> **对于不支持 `ca_cert_file_paths` 的版本:** `ca_cert_file_paths` 参数自 Doris 2.1 起可用。如果你使用的是 Doris 2.0.x 或更早版本并遇到 SSL CA 证书错误,需要确保系统 CA 证书已正确安装,并且 CA 证书包位于 `/etc/ssl/certs/ca-certificates.crt`: +> +> - **RHEL / CentOS / RockyLinux:** +> ```bash +> yum install -y ca-certificates +> update-ca-trust +> ln -s /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/ssl/certs/ca-certificates.crt +> ``` +> - **Debian / Ubuntu:** `apt-get install -y ca-certificates` +> +> 然后重启所有 BE 节点。更多证书相关问题,请参阅 [数据湖 FAQ - 证书问题](../../faq/lakehouse-faq.md#证书问题)。 + 示例: ```properties diff --git a/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/storages/azure-blob.md b/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/storages/azure-blob.md index fcd600a16b209..ea97337f82841 100644 --- a/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/storages/azure-blob.md +++ b/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/storages/azure-blob.md @@ -31,6 +31,18 @@ - 环境中使用了自签名证书、私有 CA,或者会重签 TLS 流量的企业代理或网关。 - 访问 Azure Blob Storage 时出现 `Problem with the SSL CA cert` 或 `curl 77: Problem with the SSL CA cert (path? access rights?)` 等错误。 +> **对于不支持 `ca_cert_file_paths` 的版本:** `ca_cert_file_paths` 参数自 Doris 3.1.5 和 4.0.5 起可用。如果你使用的是更早的版本并遇到 SSL CA 证书错误,需要确保系统 CA 证书已正确安装,并且 CA 证书包位于 `/etc/ssl/certs/ca-certificates.crt`: +> +> - **RHEL / CentOS / RockyLinux:** +> ```bash +> yum install -y ca-certificates +> update-ca-trust +> ln -s /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/ssl/certs/ca-certificates.crt +> ``` +> - **Debian / Ubuntu:** `apt-get install -y ca-certificates` +> +> 然后重启所有 BE 节点。更多证书相关问题,请参阅 [数据湖 FAQ - 证书问题](../../faq/lakehouse-faq.md#证书问题)。 + 示例: ```properties diff --git a/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/storages/s3.md b/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/storages/s3.md index 21a03ae8168fc..4af4065f2ae6c 100644 --- a/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/storages/s3.md +++ b/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/lakehouse/storages/s3.md @@ -29,6 +29,18 @@ - 环境中使用了自签名证书、私有 CA,或者会重签 TLS 流量的企业代理或网关。 - 访问 S3 时出现 `Problem with the SSL CA cert` 或 `curl 77: Problem with the SSL CA cert (path? access rights?)` 等错误。 +> **对于不支持 `ca_cert_file_paths` 的版本:** `ca_cert_file_paths` 参数自 Doris 2.1 起可用。如果你使用的是 Doris 2.0.x 或更早版本并遇到 SSL CA 证书错误,需要确保系统 CA 证书已正确安装,并且 CA 证书包位于 `/etc/ssl/certs/ca-certificates.crt`: +> +> - **RHEL / CentOS / RockyLinux:** +> ```bash +> yum install -y ca-certificates +> update-ca-trust +> ln -s /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/ssl/certs/ca-certificates.crt +> ``` +> - **Debian / Ubuntu:** `apt-get install -y ca-certificates` +> +> 然后重启所有 BE 节点。更多证书相关问题,请参阅 [数据湖 FAQ - 证书问题](../../faq/lakehouse-faq.md#证书问题)。 + 示例: ```properties diff --git a/versioned_docs/version-4.x/lakehouse/storages/azure-blob.md b/versioned_docs/version-4.x/lakehouse/storages/azure-blob.md index 7c99095fc0da0..1d6e5ac84cd6b 100644 --- a/versioned_docs/version-4.x/lakehouse/storages/azure-blob.md +++ b/versioned_docs/version-4.x/lakehouse/storages/azure-blob.md @@ -31,6 +31,18 @@ By default, if `ca_cert_file_paths` is not configured, Doris uses the operating - Your environment uses a self-signed certificate, a private CA, or a corporate proxy or gateway that re-signs TLS traffic. - You encounter errors such as `Problem with the SSL CA cert` or `curl 77: Problem with the SSL CA cert (path? access rights?)` when accessing Azure Blob Storage. +> **For versions without `ca_cert_file_paths`:** The `ca_cert_file_paths` parameter is available starting from Doris 3.1.5 and 4.0.5. If you are using an older version and encounter SSL CA certificate errors, you must ensure the system CA certificates are properly installed and the CA bundle exists at `/etc/ssl/certs/ca-certificates.crt`: +> +> - **RHEL / CentOS / RockyLinux:** +> ```bash +> yum install -y ca-certificates +> update-ca-trust +> ln -s /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/ssl/certs/ca-certificates.crt +> ``` +> - **Debian / Ubuntu:** `apt-get install -y ca-certificates` +> +> Then restart all BE nodes. For more details on certificate issues, see [Lakehouse FAQ - Certificate Issues](../../faq/lakehouse-faq.md#certificate-issues). + Example: ```properties diff --git a/versioned_docs/version-4.x/lakehouse/storages/s3.md b/versioned_docs/version-4.x/lakehouse/storages/s3.md index 5ee2959fc6bba..62b7e9066a9f8 100644 --- a/versioned_docs/version-4.x/lakehouse/storages/s3.md +++ b/versioned_docs/version-4.x/lakehouse/storages/s3.md @@ -29,6 +29,18 @@ By default, if `ca_cert_file_paths` is not configured, Doris uses the operating - Your environment uses a self-signed certificate, a private CA, or a corporate proxy or gateway that re-signs TLS traffic. - You encounter errors such as `Problem with the SSL CA cert` or `curl 77: Problem with the SSL CA cert (path? access rights?)` when accessing S3. +> **For versions without `ca_cert_file_paths`:** The `ca_cert_file_paths` parameter is available starting from Doris 2.1. If you are using Doris 2.0.x or earlier and encounter SSL CA certificate errors, you must ensure the system CA certificates are properly installed and the CA bundle exists at `/etc/ssl/certs/ca-certificates.crt`: +> +> - **RHEL / CentOS / RockyLinux:** +> ```bash +> yum install -y ca-certificates +> update-ca-trust +> ln -s /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/ssl/certs/ca-certificates.crt +> ``` +> - **Debian / Ubuntu:** `apt-get install -y ca-certificates` +> +> Then restart all BE nodes. For more details on certificate issues, see [Lakehouse FAQ - Certificate Issues](../../faq/lakehouse-faq.md#certificate-issues). + Example: ```properties