ssl changes recently?

[Greg Hill <gr...@RACKSPACE.COM>]

I recently updated our Ambari 1.7.0 image and am now getting SSL errors from the agents:

INFO 2015-01-07 16:59:02,116 NetUtil.py:48 - Connecting to https://ambari.local:8440/ca
ERROR 2015-01-07 16:59:02,645 NetUtil.py:66 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
ERROR 2015-01-07 16:59:02,646 NetUtil.py:67 - SSLError: Failed to connect. Please check openssl library versions.
Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 for more details.
WARNING 2015-01-07 16:59:02,651 NetUtil.py:92 - Server at https://ambari.local:8440 is not reachable, sleeping for 10 seconds…

We're just using the default SSL certs that Ambari creates for agent communication.  This worked up until we made this new image, which pull in upstream CentOS system updates.

Is it possible that some change in upstream has broken this for Ambari?
Is there a workaround?

Greg

Re: ssl changes recently?

[Yusaku Sako <yu...@hortonworks.com>]

Hi Greg,

I've seen this issue/error message before (I believe on CentOS 6.5).  To
resolve this, I had to upgrade openssl.

Yusaku

On Wed, Jan 7, 2015 at 9:05 AM, Greg Hill <gr...@rackspace.com> wrote:

> I recently updated our Ambari 1.7.0 image and am now getting SSL errors
> from the agents:
>
> INFO 2015-01-07 16:59:02,116 NetUtil.py:48 - Connecting to
> https://ambari.local:8440/ca
> ERROR 2015-01-07 16:59:02,645 NetUtil.py:66 - [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
> ERROR 2015-01-07 16:59:02,646 NetUtil.py:67 - SSLError: Failed to connect.
> Please check openssl library versions.
> Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 for more
> details.
> WARNING 2015-01-07 16:59:02,651 NetUtil.py:92 - Server at
> https://ambari.local:8440 is not reachable, sleeping for 10 seconds…
>
> We're just using the default SSL certs that Ambari creates for agent
> communication.  This worked up until we made this new image, which pull in
> upstream CentOS system updates.
>
> Is it possible that some change in upstream has broken this for Ambari?
> Is there a workaround?
>
> Greg
>

-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.

Re: ssl changes recently?

[Erin Boyd <eb...@redhat.com>]

Hey Greg,
On RHEL 6.5 we got a similar error during agent registration.
Here is the workaround:
http://hortonworks.com/community/forums/topic/ambari-agent-registration-failure-on-rhel-6-5-due-to-openssl-2/

Hope that helps,
Erin


----- Original Message -----
From: "Greg Hill" <gr...@RACKSPACE.COM>
To: dev@ambari.apache.org
Sent: Wednesday, January 7, 2015 10:05:29 AM
Subject: ssl changes recently?

I recently updated our Ambari 1.7.0 image and am now getting SSL errors from the agents:

INFO 2015-01-07 16:59:02,116 NetUtil.py:48 - Connecting to https://ambari.local:8440/ca
ERROR 2015-01-07 16:59:02,645 NetUtil.py:66 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
ERROR 2015-01-07 16:59:02,646 NetUtil.py:67 - SSLError: Failed to connect. Please check openssl library versions.
Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 for more details.
WARNING 2015-01-07 16:59:02,651 NetUtil.py:92 - Server at https://ambari.local:8440 is not reachable, sleeping for 10 seconds…

We're just using the default SSL certs that Ambari creates for agent communication.  This worked up until we made this new image, which pull in upstream CentOS system updates.

Is it possible that some change in upstream has broken this for Ambari?
Is there a workaround?

Greg