ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Hill <greg.h...@RACKSPACE.COM>
Subject Re: ssl changes recently?
Date Wed, 07 Jan 2015 20:52:03 GMT
[root@ambari ~]# rpm -qa | grep openssl
openssl-1.0.1e-30.el6_6.4.x86_64


We apparently have an even newer version.  Perhaps they broke something
else more recently?  We just spun up this image yesterday with the latest
CentOS 6.5 stuff.

Greg

On 1/7/15 2:48 PM, "Erin Boyd" <eboyd@redhat.com> wrote:

>Hey Greg,
>On RHEL 6.5 we got a similar error during agent registration.
>Here is the workaround:
>http://hortonworks.com/community/forums/topic/ambari-agent-registration-fa
>ilure-on-rhel-6-5-due-to-openssl-2/
>
>Hope that helps,
>Erin
>
>
>----- Original Message -----
>From: "Greg Hill" <greg.hill@RACKSPACE.COM>
>To: user@ambari.apache.org
>Sent: Wednesday, January 7, 2015 1:44:40 PM
>Subject: ssl changes recently?
>
>I sent this to the wrong list earlier.
>
>I recently updated our Ambari 1.7.0 image and am now getting SSL errors
>from the agents:
>
>INFO 2015-01-07 16:59:02,116 NetUtil.py:48 - Connecting to
>https://ambari.local:8440/ca
>ERROR 2015-01-07 16:59:02,645 NetUtil.py:66 - [SSL:
>CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
>ERROR 2015-01-07 16:59:02,646 NetUtil.py:67 - SSLError: Failed to
>connect. Please check openssl library versions.
>Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 for more
>details.
>WARNING 2015-01-07 16:59:02,651 NetUtil.py:92 - Server at
>https://ambari.local:8440<https://ambari.local:8440/> is not reachable,
>sleeping for 10 secondsÅ 
>
>We're just using the default SSL certs that Ambari creates for agent
>communication.  This worked up until we made this new image, which pull
>in upstream CentOS system updates.
>
>Is it possible that some change in upstream has broken this for Ambari?
>Is there a workaround?
>
>I have noticed that the "server_crt" (/var/lib/ambari-agent/keys/ca.crt)
>does not exist on the hosts.  Is this something I'm supposed to inject?
>We weren't before, but it was working just fine without it.
>
>Greg
>


Mime
View raw message