You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2018/05/29 12:49:00 UTC

[jira] [Resolved] (AMBARI-23920) Ambari 2way SSL does not work if CA signed certs are used

     [ https://issues.apache.org/jira/browse/AMBARI-23920?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Levas resolved AMBARI-23920.
-----------------------------------
    Resolution: Fixed

> Ambari 2way SSL does not work if CA signed certs are used
> ---------------------------------------------------------
>
>                 Key: AMBARI-23920
>                 URL: https://issues.apache.org/jira/browse/AMBARI-23920
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.6.1
>            Reporter: amarnath reddy pappu
>            Assignee: Robert Levas
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 2.7.0
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Enable 2 way SSL between Ambari server and agent using CA Signed certificates.  Communication fails with below error/Exception
> {noformat}
> ERROR 2018-05-21 15:57:35,357 Controller.py:226 - Unable to connect to: https://apappu4.hdp.com:8441/agent/v1/register/apappu4.hdp.com
> Traceback (most recent call last):
>   File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 175, in registerWithServer
>     ret = self.sendRequest(self.registerUrl, data)
>   File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 549, in sendRequest
>     raise IOError('Request to {0} failed due to {1}'.format(url, str(exception)))
> IOError: Request to https://apappu4.hdp.com:8441/agent/v1/register/apappu4.hdp.com failed due to [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> ERROR 2018-05-21 15:57:35,357 Controller.py:227 - Error:Request to https://apappu4.hdp.com:8441/agent/v1/register/apappu4.hdp.com failed due to [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> {noformat}
> Root cause: As part of the setup - CA Root and CA Cert chains are imported to PKCS file. but Ambari server is not pushing these root/chain to Ambari agents and Agents are unable to trust the server certs.
> *+Workaround:+*
> Combine certs, Chains, root and then copy to agent hosts.
> {noformat}
> cat certchain.pem  servercert.pem root.pem  > caroot.pem
> {noformat}
> then copy this file to
> {noformat}
> cp caroot.pem /var/lib/ambari-agent/keys/ca.crt
> {noformat}
> Restarting agent should resolve the issue.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)