[ https://issues.apache.org/jira/browse/YARN-10291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17156777#comment-17156777 ]
Eric Yang commented on YARN-10291: ---------------------------------- [~brahmareddy] Hadoop [getAcceptedIssuers|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/ReloadingX509TrustManager.java#L146] is returning a list of empty issuers, or the list from javax.net.ssl.X509TrustManager. Unless CA chained certificates are installed into cacerts, there is no issuer verification in Hadoop own implementation of SSL. This is the reason that I think Hadoop's implementation of loading trusted store is odd. > Yarn service commands doesn't work when https is enabled in RM > -------------------------------------------------------------- > > Key: YARN-10291 > URL: https://issues.apache.org/jira/browse/YARN-10291 > Project: Hadoop YARN > Issue Type: Bug > Reporter: Bilwa S T > Assignee: Bilwa S T > Priority: Major > Attachments: YARN-10291.001.patch > > > when we submit application using command "yarn app -launch sleeper-service > ../share/hadoop/yarn/yarn-service-examples/sleeper/sleeper.json" , it throws > below exception > {code:java} > com.sun.jersey.api.client.ClientHandlerException: > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > {code} > We should use WebServiceClient#createClient as it takes care of setting > sslfactory when https is called. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org