Reply
Explorer
Posts: 24
Registered: ‎07-11-2016
Accepted Solution

Issue after Level 2 of TLS security implementation

Hi All,

 

I had implemented the Level 1 TLS encryption and which is working.

 

But, when I have implemented the Level 2 TLS encryption as per the steps given in below link

https://www.cloudera.com/documentation/enterprise/5-9-x/topics/cm_sg_config_tls_auth.html#topic_3

 

I have started getting below error.

 

1. In cloudera-scm-agent log

 

[17/Aug/2017 07:24:50 +0000] 31094 MainThread agent ERROR Heartbeating to c018-srv1.e8sec.com:7182 failed.
Traceback (most recent call last):
File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/cmf-5.9.1-py2.6.egg/cmf/agent.py", line 1346, in _send_heartbeat
self.max_cert_depth)
File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/cmf-5.9.1-py2.6.egg/cmf/https.py", line 132, in __init__
self.conn.connect()
File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/httpslib.py", line 50, in connect
self.sock.connect((self.host, self.port))
File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/SSL/Connection.py", line 185, in connect
ret = self.connect_ssl()
File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
return m2.ssl_connect(self.ssl)
SSLError: certificate verify failed

 

 

2. In Cloudera-scm-Server Log

 

2017-08-17 07:51:04,118 WARN 118674289@agentServer-169:org.mortbay.log: javax.net.ssl.SSLException: Received fatal alert: unknown_ca

 

I have tried by using verify_cert_file as well as by using verify_cert_dir.

Can anybody please help me on the same, if I am missing something or anything else needed to be done to fix this issue.

 

I would be really thankful for any help on the same.

 

Thank you,

Amit

Highlighted
Explorer
Posts: 24
Registered: ‎07-11-2016

Re: Issue after Level 2 of TLS security implementation

I am able to resolve this issue by setting the verify_cert_dir in /etc/cloudera-scm-agent/config.ini

 

I was missing the root certificate file, which I had download from CA authority and added to the verify_cert_dir.

 

Also, I had executed below command to verify the same.

 

openssl verify -verbose -CAfile <(cat cert_intermediate_ca.pem thawte_root_ca.pem) hostname.pem

 

It gave me message:  hostname.pem: OK

 

Thanks,

Amit

Announcements