When do you get this error? During registration or some other time? Erin
----- Original Message ----- From: "Greg Hill" <[email protected]> To: "Erin Boyd" <[email protected]>, [email protected] Sent: Wednesday, January 7, 2015 1:52:03 PM Subject: Re: ssl changes recently? [root@ambari ~]# rpm -qa | grep openssl openssl-1.0.1e-30.el6_6.4.x86_64 We apparently have an even newer version. Perhaps they broke something else more recently? We just spun up this image yesterday with the latest CentOS 6.5 stuff. Greg On 1/7/15 2:48 PM, "Erin Boyd" <[email protected]> wrote: >Hey Greg, >On RHEL 6.5 we got a similar error during agent registration. >Here is the workaround: >http://hortonworks.com/community/forums/topic/ambari-agent-registration-fa >ilure-on-rhel-6-5-due-to-openssl-2/ > >Hope that helps, >Erin > > >----- Original Message ----- >From: "Greg Hill" <[email protected]> >To: [email protected] >Sent: Wednesday, January 7, 2015 1:44:40 PM >Subject: ssl changes recently? > >I sent this to the wrong list earlier. > >I recently updated our Ambari 1.7.0 image and am now getting SSL errors >from the agents: > >INFO 2015-01-07 16:59:02,116 NetUtil.py:48 - Connecting to >https://ambari.local:8440/ca >ERROR 2015-01-07 16:59:02,645 NetUtil.py:66 - [SSL: >CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581) >ERROR 2015-01-07 16:59:02,646 NetUtil.py:67 - SSLError: Failed to >connect. Please check openssl library versions. >Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 for more >details. >WARNING 2015-01-07 16:59:02,651 NetUtil.py:92 - Server at >https://ambari.local:8440<https://ambari.local:8440/> is not reachable, >sleeping for 10 secondsÅ > >We're just using the default SSL certs that Ambari creates for agent >communication. This worked up until we made this new image, which pull >in upstream CentOS system updates. > >Is it possible that some change in upstream has broken this for Ambari? >Is there a workaround? > >I have noticed that the "server_crt" (/var/lib/ambari-agent/keys/ca.crt) >does not exist on the hosts. Is this something I'm supposed to inject? >We weren't before, but it was working just fine without it. > >Greg >
