ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Hill <greg.h...@RACKSPACE.COM>
Subject openjdk update breaks ambari-agent 2-way ssl
Date Fri, 22 Jan 2016 15:01:47 GMT
We discovered a bug last night when our centos mirror updated openjdk and caused cluster builds
to start failing.  This is in Ambari 2.1.1 but I didn't see anything in github to indicate
that this code has since changed.  We tracked it down to the removal of the md5 algorithm
from the list of supported algorithms in openjdk:

https://rhn.redhat.com/errata/RHSA-2016-0049.html

The ambari-server log (in DEBUG mode):

sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException:
Algorithm constraints check failed: MD5withRSA
        at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279)
        at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130)
        at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1896)
        ... 13 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed:
MD5withRSA
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219)
        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
        at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:347)

I looked at the agent code to see how it generates the cert, and it doesn't appear to be using
md5:

https://github.com/apache/ambari/blob/trunk/ambari-agent/src/main/python/ambari_agent/security.py#L35

The openssl default *is* md5 but CentOS resets the default to sha256 in /etc/pki/tls/openssl.cnf:

[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name  = req_distinguished_name
attributes = req_attributes
x509_extensions  = v3_ca # The extentions to add to the self signed cert

I'm not sure where to look next.  I think this is an Ambari bug, but I'm not exactly sure
how to fix it or if we can fix it via configuration somehow.

Anyone know this stuff well and care to chime in?  Or pull someone else in who does?

Greg

Mime
View raw message