When httpfs runs with httpfs.ssl.enabled it should return SWEBHDFS delegation tokens.
Currently, httpfs returns WEBHDFS delegation "kind" for tokens regardless of whether ssl is enabled or not. If clients directly connect to renew tokens (for example, hdfs dfs) all works because httpfs doesn't check whether token kind is for swebhdfs or webhdfs. However, this breaks when yarn rm needs to renew the token for the job (for example, when running hadoop distcp). Since DT kind is WEBHDFS, rm tries to establish non-ssl connection to httpfs and fails.
I've tested a simple patch which I'll upload to this jira, and it fixes this issue (hadoop distcp works).