[
https://issues.apache.org/jira/browse/AMBARI-23920?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
amarnath reddy pappu updated AMBARI-23920:
------------------------------------------
Description:
Enable 2 way SSL between Ambari server and agent using CA Signed certificates.
Communication fails with below error/Exception
{noformat}
ERROR 2018-05-21 15:57:35,357 Controller.py:226 - Unable to connect to:
https://apappu4.hdp.com:8441/agent/v1/register/apappu4.hdp.com
Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 175,
in registerWithServer
ret = self.sendRequest(self.registerUrl, data)
File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 549,
in sendRequest
raise IOError('Request to {0} failed due to {1}'.format(url,
str(exception)))
IOError: Request to
https://apappu4.hdp.com:8441/agent/v1/register/apappu4.hdp.com failed due to
[Errno 1] _ssl.c:492: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ERROR 2018-05-21 15:57:35,357 Controller.py:227 - Error:Request to
https://apappu4.hdp.com:8441/agent/v1/register/apappu4.hdp.com failed due to
[Errno 1] _ssl.c:492: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
{noformat}
Root cause: As part of the setup - CA Root and CA Cert chains are imported to
PKCS file. but Ambari server is not pushing these root/chain to Ambari agents
and Agents are unable to trust the server certs.
*+Workaround: +*
Combine certs, Chains, root and then copy to agent hosts.
{noformat}
cat certchain.pem servercert.pem root.pem > caroot.pem
{noformat}
then copy this file to
{noformat}
cp caroot.pem /var/lib/ambari-agent/keys/ca.crt
{noformat}
Restarting agent should resolve the issue.
was:
Enable 2 way SSL between Ambari server and agent using CA Signed certificates.
Communication fails with below error/Exception
{noformat}
ERROR 2018-05-21 15:57:35,357 Controller.py:226 - Unable to connect to:
https://apappu4.hdp.com:8441/agent/v1/register/apappu4.hdp.com
Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 175,
in registerWithServer
ret = self.sendRequest(self.registerUrl, data)
File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 549,
in sendRequest
raise IOError('Request to {0} failed due to {1}'.format(url,
str(exception)))
IOError: Request to
https://apappu4.hdp.com:8441/agent/v1/register/apappu4.hdp.com failed due to
[Errno 1] _ssl.c:492: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ERROR 2018-05-21 15:57:35,357 Controller.py:227 - Error:Request to
https://apappu4.hdp.com:8441/agent/v1/register/apappu4.hdp.com failed due to
[Errno 1] _ssl.c:492: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
{noformat}
Root cause: As part of the setup - CA Root and CA Cert chains are imported to
PKCS file. but Ambari server is not pushing these root/chain to Ambari agents
and Agents are unable to trust the server certs.
Workaround: Combine certs, Chains, root and then copy to agent hosts.
{noformat}
cat certchain.pem servercert.pem root.pem > caroot.pem
{noformat}
then copy this file to
{noformat}
cp caroot.pem /var/lib/ambari-agent/keys/ca.crt
{noformat}
Restarting agent should resolve the issue.
> Ambari 2way SSL does not work if CA signed certs are used
> ---------------------------------------------------------
>
> Key: AMBARI-23920
> URL: https://issues.apache.org/jira/browse/AMBARI-23920
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Reporter: amarnath reddy pappu
> Priority: Major
>
> Enable 2 way SSL between Ambari server and agent using CA Signed
> certificates. Communication fails with below error/Exception
> {noformat}
> ERROR 2018-05-21 15:57:35,357 Controller.py:226 - Unable to connect to:
> https://apappu4.hdp.com:8441/agent/v1/register/apappu4.hdp.com
> Traceback (most recent call last):
> File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line
> 175, in registerWithServer
> ret = self.sendRequest(self.registerUrl, data)
> File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line
> 549, in sendRequest
> raise IOError('Request to {0} failed due to {1}'.format(url,
> str(exception)))
> IOError: Request to
> https://apappu4.hdp.com:8441/agent/v1/register/apappu4.hdp.com failed due to
> [Errno 1] _ssl.c:492: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> ERROR 2018-05-21 15:57:35,357 Controller.py:227 - Error:Request to
> https://apappu4.hdp.com:8441/agent/v1/register/apappu4.hdp.com failed due to
> [Errno 1] _ssl.c:492: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> {noformat}
> Root cause: As part of the setup - CA Root and CA Cert chains are imported to
> PKCS file. but Ambari server is not pushing these root/chain to Ambari agents
> and Agents are unable to trust the server certs.
> *+Workaround: +*
> Combine certs, Chains, root and then copy to agent hosts.
> {noformat}
> cat certchain.pem servercert.pem root.pem > caroot.pem
> {noformat}
> then copy this file to
> {noformat}
> cp caroot.pem /var/lib/ambari-agent/keys/ca.crt
> {noformat}
> Restarting agent should resolve the issue.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
