ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Hill <greg.h...@RACKSPACE.COM>
Subject Re: ssl changes recently?
Date Wed, 07 Jan 2015 21:01:16 GMT
During agent registration.  They all fail to register because the ssl cert
validation fails and it can't connect to the ambari server.

I should note that we *are not* using bootstrapping.  We preinstall the
agents manually.  Nothing has changed since it was working other than
updating to the latest CentOS and Ambari updates (still Ambari 1.7.0,
though, we're not using trunk or anything).


On 1/7/15 2:54 PM, "Erin Boyd" <> wrote:

>When do you get this error? During registration or some other time?
>----- Original Message -----
>From: "Greg Hill" <>
>To: "Erin Boyd" <>,
>Sent: Wednesday, January 7, 2015 1:52:03 PM
>Subject: Re: ssl changes recently?
>[root@ambari ~]# rpm -qa | grep openssl
>We apparently have an even newer version.  Perhaps they broke something
>else more recently?  We just spun up this image yesterday with the latest
>CentOS 6.5 stuff.
>On 1/7/15 2:48 PM, "Erin Boyd" <> wrote:
>>Hey Greg,
>>On RHEL 6.5 we got a similar error during agent registration.
>>Here is the workaround:
>>Hope that helps,
>>----- Original Message -----
>>From: "Greg Hill" <greg.hill@RACKSPACE.COM>
>>Sent: Wednesday, January 7, 2015 1:44:40 PM
>>Subject: ssl changes recently?
>>I sent this to the wrong list earlier.
>>I recently updated our Ambari 1.7.0 image and am now getting SSL errors
>>from the agents:
>>INFO 2015-01-07 16:59:02,116 - Connecting to
>>ERROR 2015-01-07 16:59:02,645 - [SSL:
>>CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
>>ERROR 2015-01-07 16:59:02,646 - SSLError: Failed to
>>connect. Please check openssl library versions.
>>Refer to: for more
>>WARNING 2015-01-07 16:59:02,651 - Server at
>>https://ambari.local:8440<https://ambari.local:8440/> is not reachable,
>>sleeping for 10 secondsÅ 
>>We're just using the default SSL certs that Ambari creates for agent
>>communication.  This worked up until we made this new image, which pull
>>in upstream CentOS system updates.
>>Is it possible that some change in upstream has broken this for Ambari?
>>Is there a workaround?
>>I have noticed that the "server_crt" (/var/lib/ambari-agent/keys/ca.crt)
>>does not exist on the hosts.  Is this something I'm supposed to inject?
>>We weren't before, but it was working just fine without it.

View raw message