You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Tom Beerbower <tb...@hortonworks.com> on 2015/06/16 02:06:15 UTC
Review Request 35481: Namenode log
contains:javax.net.ssl.SSLHandshakeException: Received fatal alert:
bad_certificate
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35481/
-----------------------------------------------------------
Review request for Ambari, Jonathan Hurley and Robert Levas.
Bugs: AMBARI-11938
https://issues.apache.org/jira/browse/AMBARI-11938
Repository: ambari
Description
-------
The following is being reported in the namenode logs on a cluster with wire encryption enabled.
2015-06-05 23:00:17,702 WARN mortbay.log (Slf4jLog.java:warn(89)) - EXCEPTION
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:723)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
Ambari JMX alert checks on a kerberized cluster are polling with curl. The curl call should use -k to ignore checking the server's certificates.
Diffs
-----
ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py 5e7f795
Diff: https://reviews.apache.org/r/35481/diff/
Testing
-------
Manual tested on wire encryption enabled cluster. Verfied that exception does not reproduce with fix.
mvn clean test
all pass
Thanks,
Tom Beerbower
Re: Review Request 35481: Namenode log
contains:javax.net.ssl.SSLHandshakeException: Received fatal alert:
bad_certificate
Posted by Jonathan Hurley <jh...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35481/#review88018
-----------------------------------------------------------
Ship it!
Ship It!
- Jonathan Hurley
On June 15, 2015, 8:06 p.m., Tom Beerbower wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35481/
> -----------------------------------------------------------
>
> (Updated June 15, 2015, 8:06 p.m.)
>
>
> Review request for Ambari, Jonathan Hurley and Robert Levas.
>
>
> Bugs: AMBARI-11938
> https://issues.apache.org/jira/browse/AMBARI-11938
>
>
> Repository: ambari
>
>
> Description
> -------
>
> The following is being reported in the namenode logs on a cluster with wire encryption enabled.
>
>
> 2015-06-05 23:00:17,702 WARN mortbay.log (Slf4jLog.java:warn(89)) - EXCEPTION
> javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
> at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
> at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:723)
> at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
>
>
> Ambari JMX alert checks on a kerberized cluster are polling with curl. The curl call should use -k to ignore checking the server's certificates.
>
>
> Diffs
> -----
>
> ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py 5e7f795
>
> Diff: https://reviews.apache.org/r/35481/diff/
>
>
> Testing
> -------
>
> Manual tested on wire encryption enabled cluster. Verfied that exception does not reproduce with fix.
>
> mvn clean test
>
> all pass
>
>
> Thanks,
>
> Tom Beerbower
>
>
Re: Review Request 35481: Namenode log
contains:javax.net.ssl.SSLHandshakeException: Received fatal alert:
bad_certificate
Posted by Jonathan Hurley <jh...@hortonworks.com>.
> On June 15, 2015, 8:12 p.m., Robert Levas wrote:
> > This seems like an odd place for this fix. I would think that the change should be direcly related to Namenode, not the alert test.
I think the issue is that curl just needs to accept untrusted certifications. Since all of the alert code uses this library for its curl requests, I think this would be the right place.
- Jonathan
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35481/#review88006
-----------------------------------------------------------
On June 15, 2015, 8:06 p.m., Tom Beerbower wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35481/
> -----------------------------------------------------------
>
> (Updated June 15, 2015, 8:06 p.m.)
>
>
> Review request for Ambari, Jonathan Hurley and Robert Levas.
>
>
> Bugs: AMBARI-11938
> https://issues.apache.org/jira/browse/AMBARI-11938
>
>
> Repository: ambari
>
>
> Description
> -------
>
> The following is being reported in the namenode logs on a cluster with wire encryption enabled.
>
>
> 2015-06-05 23:00:17,702 WARN mortbay.log (Slf4jLog.java:warn(89)) - EXCEPTION
> javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
> at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
> at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:723)
> at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
>
>
> Ambari JMX alert checks on a kerberized cluster are polling with curl. The curl call should use -k to ignore checking the server's certificates.
>
>
> Diffs
> -----
>
> ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py 5e7f795
>
> Diff: https://reviews.apache.org/r/35481/diff/
>
>
> Testing
> -------
>
> Manual tested on wire encryption enabled cluster. Verfied that exception does not reproduce with fix.
>
> mvn clean test
>
> all pass
>
>
> Thanks,
>
> Tom Beerbower
>
>
Re: Review Request 35481: Namenode log
contains:javax.net.ssl.SSLHandshakeException: Received fatal alert:
bad_certificate
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35481/#review88006
-----------------------------------------------------------
Ship it!
This seems like an odd place for this fix. I would think that the change should be direcly related to Namenode, not the alert test.
- Robert Levas
On June 15, 2015, 8:06 p.m., Tom Beerbower wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35481/
> -----------------------------------------------------------
>
> (Updated June 15, 2015, 8:06 p.m.)
>
>
> Review request for Ambari, Jonathan Hurley and Robert Levas.
>
>
> Bugs: AMBARI-11938
> https://issues.apache.org/jira/browse/AMBARI-11938
>
>
> Repository: ambari
>
>
> Description
> -------
>
> The following is being reported in the namenode logs on a cluster with wire encryption enabled.
>
>
> 2015-06-05 23:00:17,702 WARN mortbay.log (Slf4jLog.java:warn(89)) - EXCEPTION
> javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
> at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
> at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:723)
> at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
>
>
> Ambari JMX alert checks on a kerberized cluster are polling with curl. The curl call should use -k to ignore checking the server's certificates.
>
>
> Diffs
> -----
>
> ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py 5e7f795
>
> Diff: https://reviews.apache.org/r/35481/diff/
>
>
> Testing
> -------
>
> Manual tested on wire encryption enabled cluster. Verfied that exception does not reproduce with fix.
>
> mvn clean test
>
> all pass
>
>
> Thanks,
>
> Tom Beerbower
>
>