如何导入自定义 CA 证书How to import a custom CA certificate

使用 Python 时,可能需要导入自定义 CA 证书,以避免连接到终结点时出现错误。When working with Python, you may want to import a custom CA certificate to avoid connection errors to your endpoints.

ConnectionError: HTTPSConnectionPool(host='my_server_endpoint', port=443): Max retries exceeded with url: /endpoint (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fb73dc3b3d0>: Failed to establish a new connection: [Errno 110] Connection timed out',))

若要将一个或多个自定义 CA 证书导入到 Azure Databricks 群集:To import one or more custom CA certificates to your Azure Databricks cluster:

  1. 请创建一个 init 脚本用于添加整个 CA 链和设置 REQUESTS_CA_BUNDLE 属性。Create an init script that adds the entire CA chain and sets the REQUESTS_CA_BUNDLE property.

    在此示例中,PEM 格式的 CA 证书被添加到 /user/local/share/ca-certificates/ 处的 myca.crt 文件中。In this example, PEM format CA certificates are added to the file myca.crt which is located at /user/local/share/ca-certificates/. 此文件在 custom-cert.sh init 脚本中引用。This file is referenced in the custom-cert.sh init script.

    dbutils.fs.put("/databricks/init-scripts/custom-cert.sh", """#!/bin/bash
    
    cat << 'EOF' > /usr/local/share/ca-certificates/myca.crt
    -----BEGIN CERTIFICATE-----
    <CA CHAIN 1 CERTIFICATE CONTENT>
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <CA CHAIN 2 CERTIFICATE CONTENT>
    -----END CERTIFICATE-----
    EOF
    
    update-ca-certificates
    
    PEM_FILE="/etc/ssl/certs/myca.pem"
    PASSWORD="<password>"
    KEYSTORE="/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts"
    
    CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)
    
    # To process multiple certs with keytool, you need to extract
    # each one from the PEM file and import it into the Java KeyStore.
    
    for N in $(seq 0 $(($CERTS - 1))); do
      ALIAS="$(basename $PEM_FILE)-$N"
      echo "Adding to keystore with alias:$ALIAS"
      cat $PEM_FILE |
        awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
        keytool -noprompt -import -trustcacerts \
                -alias $ALIAS -keystore $KEYSTORE -storepass $PASSWORD
    done
    
    echo "export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt" >> /databricks/spark/conf/spark-env.sh
    """)
    

    备注

    /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts 是密钥存储的默认位置。/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts is a default location for the keystore. 如果修改了群集上 cacerts 的位置,则必须更新此值以匹配当前位置。If you have modified the location of cacerts on your cluster, you must update this value to match the current location.

  2. 将 init 脚本作为群集范围内的 init 脚本附加到群集。Attach the init script to the cluster as a cluster-scoped init script.

  3. 重启群集。Restart the cluster.