Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.6.1
Description
Enable 2 way SSL between Ambari server and agent using CA Signed certificates. Communication fails with below error/Exception
ERROR 2018-05-21 15:57:35,357 Controller.py:226 - Unable to connect to: https://apappu4.hdp.com:8441/agent/v1/register/apappu4.hdp.com
Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 175, in registerWithServer
ret = self.sendRequest(self.registerUrl, data)
File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 549, in sendRequest
raise IOError('Request to {0} failed due to {1}'.format(url, str(exception)))
IOError: Request to https://apappu4.hdp.com:8441/agent/v1/register/apappu4.hdp.com failed due to [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ERROR 2018-05-21 15:57:35,357 Controller.py:227 - Error:Request to https://apappu4.hdp.com:8441/agent/v1/register/apappu4.hdp.com failed due to [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Root cause: As part of the setup - CA Root and CA Cert chains are imported to PKCS file. but Ambari server is not pushing these root/chain to Ambari agents and Agents are unable to trust the server certs.
Workaround:
Combine certs, Chains, root and then copy to agent hosts.
cat certchain.pem servercert.pem root.pem > caroot.pem
then copy this file to
cp caroot.pem /var/lib/ambari-agent/keys/ca.crt
Restarting agent should resolve the issue.
Attachments
Issue Links
- links to
