Cloudera Data Engineering CLI TLS configuration

All CDE virtual cluster endpoints are configured with TLS. In non-production or on-premises environments the TLS certificates are usually signed by a non-production or non-public certificate authority (CA). In these cases, without additional configuration, the CLI tool fails as it attempts to validate the API server's TLS certificate. The CLI provides a TLS configuration when using non-public/non-production CAs.

Specify a file containing the PEM encoded public certificate(s) of the signing CA in one of the following ways:

  • add the --tls-ca-certs [***/PATH/TO/CA.PEM***] flag on the command line
  • define the tls-ca-certs: [***/PATH/TO/CA.PEM***] variable in the ~/.cde/config.yaml configuration file
  • set the CDE_TLS_CA_CERTS environment variable

Replace [***/PATH/TO/CA.PEM***] with the path to a valid ca.pem file.

Certificates for CDE are issued and signed by LetsEncrypt and Amazon. If you are using an older system that does not already trust these certificate authorities, you must specify them as trusted using the --tls-ca-certs option. Additionally, if you are using the CDE CLI on Microsoft Windows with the --tls-ca-certs option, the operating system trusted root CAs are ignored. To make sure that your CA certificate file includes all of the necessary certificates, you can download the certificate chain from by doing the following:

  1. Go to the Cloudera Data Engineering Overview page.
  2. In the Environments column, select the environment containing the virtual cluster you want to interact with.
  3. In the Virtual Clusters column on the right, click the Cluster Details icon for the virtual cluster you want to interact with.
  4. Click JOBS API URL to copy the link to your clipboard.
  5. Paste the link into your browser and press Enter.
  6. In your browser, click the lock icon to view the certificate chain.
  7. Export the certificate chain as a Base64-encoded X.509 certificate (.CER). Save it as ca.pem.