Yandex.Cloud Managed instances - DarkWanderer/ClickHouse.Client GitHub Wiki
ClickHouse.Client supports connecting to "managed" ClickHouse instances in Yandex.Cloud. As Yandex.Cloud has its own root certification authority, its certificate needs to be installed in system before one can connect to managed instance using SSL
Option 1: Certificate pinning
private static bool ServerCertificateCustomValidation(HttpRequestMessage requestMessage, X509Certificate2? certificate, X509Chain? chain, SslPolicyErrors sslErrors)
{
// Hardcode or pass as parameter via currying
const string YandexRootCAThumbprint = "AAA1450272071C2D8D7F48469886180B7685EF94";
if (chain.ChainStatus.Any(status => status.Status != X509ChainStatusFlags.UntrustedRoot))
return false;
foreach (var element in chain.ChainElements)
{
foreach (var status in element.ChainElementStatus)
{
if (status.Status == X509ChainStatusFlags.UntrustedRoot)
{
// If the certificate is not trusted from OS root, verify it matches expected thumbprint
if (element.Certificate.Thumbprint == YandexRootCAThumbprint)
continue;
}
return false;
}
}
// Return true only if all certificates of the chain are valid
return true;
}
Option 2: Install Yandex certificate to truststore
Linux
sudo mkdir -p /usr/local/share/ca-certificates/Yandex && \
sudo wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" -O /usr/local/share/ca-certificates/Yandex/YandexInternalRootCA.crt && \
sudo chmod 655 /usr/local/share/ca-certificates/Yandex/YandexInternalRootCA.crt
In RHEL, root certificates are located in /etc/pki/tls/certs/ instead
Windows
mkdir -Force $HOME\.clickhouse;
(Invoke-WebRequest https://storage.yandexcloud.net/cloud-certs/CA.pem).RawContent.Split([Environment]::NewLine)[-31..-1] | Out-File -Encoding
ASCII $HOME\.clickhouse\YandexInternalRootCA.crt;
Import-Certificate -FilePath $HOME\.clickhouse\YandexInternalRootCA.crt -CertStoreLocation cert:\CurrentUser\Root