Assuming the truststore you are referencing is the same one the server is using, it's probably in the wrong format. You will need to export the cert into a PEM format for use in the (Python) cqlsh client. If exporting from the java keystore format, use
keytool -exportcert <source keystore, pass, etc> -rfc -file <output file> If you have the crt file, you should be able to accomplish the same using openssl: openssl x509 -in <in crt> -inform DER -out <output file> -outform PEM Then, you should refer to that PEM file in your command. Alternatively, you can specify a path to the file (along with other options) in your cqlshrc file. References: How cqlsh picks up ssl options <https://github.com/apache/cassandra/blob/cassandra-2.1/pylib/cqlshlib/sslhandling.py> Example cqlshrc file <https://github.com/apache/cassandra/blob/cassandra-2.1/conf/cqlshrc.sample> Adam Holmberg On Wed, Jan 28, 2015 at 1:08 AM, Lu, Boying <boying...@emc.com> wrote: > Hi, All, > > > > Does anyone know the answer? > > > > Thanks a lot > > > > Boying > > > > > > *From:* Lu, Boying > *Sent:* 2015年1月6日 11:21 > *To:* user@cassandra.apache.org > *Subject:* How to use cqlsh to access Cassandra DB if the > client_encryption_options is enabled > > > > Hi, All, > > > > I turned on the dbclient_encryption_options like this: > > client_encryption_options: > > enabled: *true* > > keystore: path-to-my-keystore-file > > keystore_password: my-keystore-password > > truststore: path-to-my-truststore-file > > truststore_password: my-truststore-password > > … > > > > I can use following cassandra-cli command to access DB: > > cassandra-cli -ts path-to-my-truststore-file –tspw my-truststore-password > –tf org.apache.cassandra.thrift.SSLTransportFactory > > > > But when I tried to access DB by cqlsh like this: > > SSL_CERTFILE=path-to-my-truststore cqlsh –t > cqlishlib.ssl.ssl_transport_factory > > > > I got following error: > > Connection error: Could not connect to localhost:9160: [Errno 0] > _ssl.c:332: error:00000000:lib(0):func(0):reason(0) > > > > I guess the reason maybe is that I didn’t provide the trustore password. > But cqlsh doesn’t provide such option. > > > > Does anyone know how to resolve this issue? > > > > Thanks > > > > Boying > > >
