Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.3.0
-
None
Description
I was playing around with Cloudera Manager's upcoming webserver TLS support and found a couple cases where misconfigurations led to confusing error messages and other weird behavior. I focused on webserver_private_key_file, webserver_certificate_file, and webserver_private_key_password_cmd.
webserver_private_key_file is unset, but webserver_certificate_file and webserver_private_key_password_cmd are set: the server crashes (good) but with a fairly inscrutable error message:
I0213 18:49:50.606950 2265 webserver.cc:144] Webserver: Enabling HTTPS support
I0213 18:49:50.607322 2265 webserver.cc:293] Webserver: set_ssl_option: cannot open /etc/adar_kudu_tls/cert.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line
W0213 18:49:50.607375 2265 net_util.cc:293] Failed to bind to 0.0.0.0:8051. Trying to use lsof to find any processes listening on the same port:
I0213 18:49:50.607393 2265 net_util.cc:296] $ export PATH=$PATH:/usr/sbin ; lsof -n -i 'TCP:8051' -sTCP:LISTEN ; for pid in $(lsof -F p -n -i 'TCP:8051' -sTCP:LISTEN | grep p | cut -f 2 -dp) ; do while [ $pid -gt 1 ] ; do ps h -fp $pid ; stat=($(</proc/$pid/stat)) ; pid=${stat[3]} ; done ; done
W0213 18:49:50.632638 2265 net_util.cc:303]
F0213 18:49:50.632704 2265 master_main.cc:71] Check failed: _s.ok() Bad status: Network error: Webserver: Could not start on address 0.0.0.0:8051
webserver_private_key_file, webserver_certificate_file, and webserver_private_key_password_cmd are all set, but the password command script yields the wrong password: the server crashes (good) but the error message is inscrutable:
I0213 18:35:34.581714 32633 webserver.cc:293] Webserver: set_ssl_option: cannot open /etc/adar_kudu_tls/cert.pem: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
W0213 18:35:34.581794 32633 net_util.cc:293] Failed to bind to 0.0.0.0:8051. Trying to use lsof to find any processes listening on the same port:
I0213 18:35:34.581811 32633 net_util.cc:296] $ export PATH=$PATH:/usr/sbin ; lsof -n -i 'TCP:8051' -sTCP:LISTEN ; for pid in $(lsof -F p -n -i 'TCP:8051' -sTCP:LISTEN | grep p | cut -f 2 -dp) ; do while [ $pid -gt 1 ] ; do ps h -fp $pid ; stat=($(</proc/$pid/stat)) ; pid=${stat[3]} ; done ; done
W0213 18:35:34.605216 32633 net_util.cc:303]
F0213 18:35:34.605254 32633 master_main.cc:71] Check failed: _s.ok() Bad status: Network error: Webserver: Could not start on address 0.0.0.0:8051
webserver_private_key_file and webserver_private_key_password_cmd are set, but webserver_certificate_file is not: the server starts up (probably bad?) and any attempt to access the webui on the https port yields a "This site can’t provide a secure connection" message in the browser with ERR_SSL_PROTOCOL_ERROR as the error code. I only tested with Chromium.