If you figured this out, it would be helpful to add it to the developer wiki: https://cwiki.apache.org/confluence/display/IMPALA/Impala+Home . I gave you permissions to edit pages on it.
On Wed, Feb 21, 2018 at 6:36 PM, Vincent Tran <vtt...@cloudera.com> wrote: > Please disregard. It turns out that both of the flags below were pointed to > locahost. SSL certificate's CN is sensitive to that. Simply setting those > flags to the FQDN matching your certificate's CN will do the trick. > --state_store_host > --catalog_service_host > > On Wed, Feb 21, 2018 at 7:13 PM, Vincent Tran <vtt...@cloudera.com> wrote: > > > Hi all, > > > > Is this the correct way to start the minicluster with SSL? > > I have not had much luck with this (I've also tried to generate a new > self > > signed cert/key pair, but Catalog couldn't connect to Statestore in that > > case) : > > > > > > $IMPALA_HOME/bin/start-impala-cluster.py --impalad_args='--ssl_server_ > > certificate=$IMPALA_HOME/be/src/testutil/server-cert.pem > > --ssl_private_key=$IMPALA_HOME/be/src/testutil/server-key.pem > > --ssl_client_ca_certificate=$IMPALA_HOME/be/src/testutil/ > server-cert.pem' > > --catalogd_args='--ssl_server_certificate=$IMPALA_HOME/be/ > src/testutil/server-cert.pem > > --ssl_private_key=$IMPALA_HOME/be/src/testutil/server-key.pem > > --ssl_client_ca_certificate=$IMPALA_HOME/be/src/testutil/ > server-cert.pem' > > --state_store_args='--ssl_server_certificate=$IMPALA_ > > HOME/be/src/testutil/server-cert.pem --ssl_private_key=$IMPALA_ > > HOME/be/src/testutil/server-key.pem --ssl_client_ca_certificate=$ > > IMPALA_HOME/be/src/testutil/server-cert.pem' > > > > > > Starting State Store logging to /data/vtran/Impala/logs/ > > cluster/statestored.INFO > > Starting Catalog Service logging to /data/vtran/Impala/logs/ > > cluster/catalogd.INFO > > Starting Impala Daemon logging to /data/vtran/Impala/logs/ > > cluster/impalad.INFO > > Starting Impala Daemon logging to /data/vtran/Impala/logs/ > > cluster/impalad_node1.INFO > > Starting Impala Daemon logging to /data/vtran/Impala/logs/ > > cluster/impalad_node2.INFO > > MainThread: Found 3 impalad/1 statestored/1 catalogd process(es) > > MainThread: Getting num_known_live_backends from blackbox:25000 > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > MainThread: Getting num_known_live_backends from blackbox:25000 > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > MainThread: Getting num_known_live_backends from blackbox:25000 > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > ... > > MainThread: Getting num_known_live_backends from blackbox:25000 > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > MainThread: Getting num_known_live_backends from blackbox:25000 > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > MainThread: Getting num_known_live_backends from blackbox:25000 > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > MainThread: Getting num_known_live_backends from blackbox:25000 > > MainThread: Waiting for num_known_live_backends=3. Current value: 0 > > Error starting cluster: num_known_live_backends did not reach expected > > value in time > > > > > > > > > > Daemon 1 > > https://gist.github.com/vtstran/0d8db4959db7de6407a9e5da1ed4375c > > > > Statestore > > https://gist.github.com/vtstran/93c37a44109900325070a5c67eddcff9 > > > > openssl s_client output > > https://gist.github.com/vtstran/cd26162457f9bcc271f6e8e0c1452078 > > > > > > > > *TLDNR:* statestore has this complaint: > > > > I0221 18:50:08.176901 98753 client-cache.h:304] RPC Error: Client for > > blackbox:23020 hit an unexpected exception: authorize: cannot authorize > > peer, type: N6apache6thrift9transport13TSSLExceptionE, rpc: > > N6impala18THeartbeatResponseE, send: not done > > But I verified with openssl s_client that the provided CA should connect > > okay. > > > > So I feel like I may be missing something subtle here... > > > > > > > > > -- > Vincent T. Tran > Customer Operations Engineer > Cloudera, Inc. >