-
-
Notifications
You must be signed in to change notification settings - Fork 56
Yandex.Cloud Managed instances
Oleg V. Kozlyuk edited this page Sep 1, 2022
·
4 revisions
ClickHouse.Client supports connecting to "managed" ClickHouse instances in Yandex.Cloud. As Yandex.Cloud has its own root certification authority, its certificate needs to be installed in system before one can connect to managed instance using SSL
private static bool ServerCertificateCustomValidation(HttpRequestMessage requestMessage, X509Certificate2? certificate, X509Chain? chain, SslPolicyErrors sslErrors)
{
// Hardcode or pass as parameter via currying
const string YandexRootCAThumbprint = "AAA1450272071C2D8D7F48469886180B7685EF94";
if (chain.ChainStatus.Any(status => status.Status != X509ChainStatusFlags.UntrustedRoot))
return false;
foreach (var element in chain.ChainElements)
{
foreach (var status in element.ChainElementStatus)
{
if (status.Status == X509ChainStatusFlags.UntrustedRoot)
{
// If the certificate is not trusted from OS root, verify it matches expected thumbprint
if (element.Certificate.Thumbprint == YandexRootCAThumbprint)
continue;
}
return false;
}
}
// Return true only if all certificates of the chain are valid
return true;
}sudo mkdir -p /usr/local/share/ca-certificates/Yandex && \
sudo wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" -O /usr/local/share/ca-certificates/Yandex/YandexInternalRootCA.crt && \
sudo chmod 655 /usr/local/share/ca-certificates/Yandex/YandexInternalRootCA.crtIn RHEL, root certificates are located in /etc/pki/tls/certs/ instead
mkdir -Force $HOME\.clickhouse;
(Invoke-WebRequest https://storage.yandexcloud.net/cloud-certs/CA.pem).RawContent.Split([Environment]::NewLine)[-31..-1] | Out-File -Encoding
ASCII $HOME\.clickhouse\YandexInternalRootCA.crt;
Import-Certificate -FilePath $HOME\.clickhouse\YandexInternalRootCA.crt -CertStoreLocation cert:\CurrentUser\Root