[
https://issues.apache.org/jira/browse/AMBARI-20600?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15946041#comment-15946041
]
Aravindan Vijayan commented on AMBARI-20600:
--------------------------------------------
PROBLEM
The Grafana util script makes HTTPS calls with the server endpoint to create
datasource, dashboards etc. For this call, it validates the server's
certificate with the CA certificate using the
https://docs.python.org/2/library/ssl.html#ssl.get_server_certificate call.
This call checks the certificate validity against a root certificate list.
The Grafana cert file (/configurations/ams-grafana-ini/cert_file) can be used
both by the Grafana server to start up in HTTPS as well as in this validation
step if the cert file is not a leaf certificate (for example a self signed
certificate). If there is a CA which issued the certificate for Grafana HTTPS,
then the ca bundle must be used to validate the server's certificate.
FIX
Added a new parameter that takes in the ca_cert, defaulting to the cert file.
Grafana start should not fail if we are not able to validate the certificate,
but able to make HTTPS calls to the server. We will print out a warning
statement instead.
Thanks to [~rlevas] for helping out with this.
> AMS grafana restart fails with ssl error after upgrading from 2.4.2.0
> ---------------------------------------------------------------------
>
> Key: AMBARI-20600
> URL: https://issues.apache.org/jira/browse/AMBARI-20600
> Project: Ambari
> Issue Type: Bug
> Components: ambari-metrics
> Affects Versions: 2.5.0
> Reporter: Aravindan Vijayan
> Assignee: Aravindan Vijayan
> Priority: Critical
> Fix For: 2.5.1
>
>
> {code}
> Traceback (most recent call last):
> File
> "/var/lib/ambari-agent/cache/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana.py",
> line 79, in <module>
> AmsGrafana().execute()
> File
> "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py",
> line 314, in execute
> method(env)
> File
> "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py",
> line 767, in restart
> self.start(env)
> File
> "/var/lib/ambari-agent/cache/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana.py",
> line 58, in start
> create_grafana_admin_pwd()
> File
> "/var/lib/ambari-agent/cache/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana_util.py",
> line 235, in create_grafana_admin_pwd
> response = perform_grafana_get_call(GRAFANA_USER_URL, serverCall1)
> File
> "/var/lib/ambari-agent/cache/common-services/AMBARI_METRICS/0.1.0/package/scripts/metrics_grafana_util.py",
> line 59, in perform_grafana_get_call
> grafana_https_enabled, ca_certs)
> File "/usr/lib/python2.6/site-packages/ambari_commons/network.py", line 49,
> in get_http_connection
> ssl_version = check_ssl_certificate_and_return_ssl_version(host, port,
> ca_certs)
> File "/usr/lib/python2.6/site-packages/ambari_commons/network.py", line 66,
> in check_ssl_certificate_and_return_ssl_version
> .format(host, port, ca_certs, str(ssl_error)))
> resource_management.core.exceptions.Fail: Failed to verify the SSL
> certificate for https://<host>:3000 with CA certificate in
> /etc/security/ssl/test.cert. Error : [Errno 1] _ssl.c:492: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
