https://community.cloudera.com/t5/Archives-of-Support-Questions/Knox-starts-but-fails-to-handshake-no-cipher-suites-in/m-p/161104#M36667 <P>Hi there,</P><P>We have knox version 2.4.2.0-258 deployed in two environments. (say Prod-A and Prod-B). Everything was working fine, when you start through Ambari but when I try to connect to Knox it doesn't work.</P><P>Checked in the gateway.jsk under knox/data/security/keystore, it has a valid chain of certs.</P><PRE>2016-08-02 15:29:23,969 DEBUG nio.ssl (SslConnection.java:wrap(475)) - SCEP@fe16e5{l(/IP1:35840)&lt;-&gt;r(/IP2:8444),s=1,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=1r}-{SslConnection@4ddce8ac SSL NEED_WRAP i/o/u=0/0/0 ishut=false oshut=false {AsyncHttpConnection@20993ce7,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}} javax.net.ssl.SSLHandshakeException: no cipher suites in common at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) at org.eclipse.jetty.io.nio.SslConnection.wrap(SslConnection.java:460) at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:386) at org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48) at org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678) at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) at java.lang.Thread.run(Thread.java:745) Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:292) at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1035) at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:738) at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:375) ... 12 more</PRE><P>Here is the command(s) I used to import Host specific certificate in the jks. All following are tried but I get the same error.</P><PRE>keytool -import -alias gateway-identity -keyalg RSA -keystore gateway.jks -trustcacerts -file /etc/pki/tls/certs/Prod-A-HostFQDN.cer -storepass JKSP@ssword </PRE> <PRE>keytool -import -alias gateway-identity -keyalg RSA -keystore gateway.jks -file /etc/pki/tls/certs/Prod-A-HostFQDN.cer -storepass JKSP@ssword </PRE> <PRE>keytool -import -alias gateway-identity -keystore gateway.jks -file /etc/pki/tls/certs/Prod-A-HostFQDN.cer -storepass JKSP@ssword</PRE><P>Can anyone say what is the issue and how to go about this?</P><P>Regsrds</P> Tue, 02 Aug 2016 23:08:28 GMT smartninja723 2016-08-02T23:08:28Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Knox-starts-but-fails-to-handshake-no-cipher-suites-in/m-p/161104#M36667 <P>Hi there,</P><P>We have knox version 2.4.2.0-258 deployed in two environments. (say Prod-A and Prod-B). Everything was working fine, when you start through Ambari but when I try to connect to Knox it doesn't work.</P><P>Checked in the gateway.jsk under knox/data/security/keystore, it has a valid chain of certs.</P><PRE>2016-08-02 15:29:23,969 DEBUG nio.ssl (SslConnection.java:wrap(475)) - SCEP@fe16e5{l(/IP1:35840)&lt;-&gt;r(/IP2:8444),s=1,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=1r}-{SslConnection@4ddce8ac SSL NEED_WRAP i/o/u=0/0/0 ishut=false oshut=false {AsyncHttpConnection@20993ce7,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}} javax.net.ssl.SSLHandshakeException: no cipher suites in common at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) at org.eclipse.jetty.io.nio.SslConnection.wrap(SslConnection.java:460) at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:386) at org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48) at org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678) at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) at java.lang.Thread.run(Thread.java:745) Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:292) at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1035) at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:738) at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:375) ... 12 more</PRE><P>Here is the command(s) I used to import Host specific certificate in the jks. All following are tried but I get the same error.</P><PRE>keytool -import -alias gateway-identity -keyalg RSA -keystore gateway.jks -trustcacerts -file /etc/pki/tls/certs/Prod-A-HostFQDN.cer -storepass JKSP@ssword </PRE> <PRE>keytool -import -alias gateway-identity -keyalg RSA -keystore gateway.jks -file /etc/pki/tls/certs/Prod-A-HostFQDN.cer -storepass JKSP@ssword </PRE> <PRE>keytool -import -alias gateway-identity -keystore gateway.jks -file /etc/pki/tls/certs/Prod-A-HostFQDN.cer -storepass JKSP@ssword</PRE><P>Can anyone say what is the issue and how to go about this?</P><P>Regsrds</P> Tue, 02 Aug 2016 23:08:28 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Knox-starts-but-fails-to-handshake-no-cipher-suites-in/m-p/161104#M36667 smartninja723 2016-08-02T23:08:28Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Knox-starts-but-fails-to-handshake-no-cipher-suites-in/m-p/161105#M36668 <P><A rel="user" href="https://community.cloudera.com/users/190/kevinminder.html" nodeid="190">@Kevin Minder</A>, <A rel="user" href="https://community.cloudera.com/users/174/hkropp.html" nodeid="174">@hkropp</A>, <A rel="user" href="https://community.cloudera.com/users/63/amiller.html" nodeid="63">@Alex Miller</A>, <A rel="user" href="https://community.cloudera.com/users/218/rmani.html" nodeid="218">@Ramesh Mani</A>, <A rel="user" href="https://community.cloudera.com/users/740/vrathor.html" nodeid="740">@Vipin Rathor</A> Adding experts!!</P> Fri, 12 Aug 2016 21:31:17 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Knox-starts-but-fails-to-handshake-no-cipher-suites-in/m-p/161105#M36668 smartninja723 2016-08-12T21:31:17Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Knox-starts-but-fails-to-handshake-no-cipher-suites-in/m-p/161106#M36669 <P>Can you provide more details about how you're attempting to connect, and with which client? If you're using curl, specify the exact command (masking the user password if you want), and the exact version of curl + OS</P> Sat, 13 Aug 2016 00:03:34 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Knox-starts-but-fails-to-handshake-no-cipher-suites-in/m-p/161106#M36669 amiller 2016-08-13T00:03:34Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Knox-starts-but-fails-to-handshake-no-cipher-suites-in/m-p/161107#M36670 <P>Thanks fro getting back .</P><P><A rel="user" href="https://community.cloudera.com/users/63/amiller.html" nodeid="63">@Alex Miller</A> Here is the connect using Curl to connect the Knox server: </P><P></P><PRE>curl -i -k -u admin:P@ssword 'https://&lt;Knox_SERVER_Hostname&gt;:&lt;KNOX_PORT&gt;/gateway/default/templeton/v1/status'</PRE><P>RHEL : Oracle Linux Server release 6.7</P><P>Curl Version : 7.19.7 </P><P>JDK : </P><P>openjdk version "1.8.0_71"</P><P></P><P>OpenJDK Runtime Environment (build 1.8.0_71-b15)</P> Mon, 15 Aug 2016 15:37:44 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Knox-starts-but-fails-to-handshake-no-cipher-suites-in/m-p/161107#M36670 smartninja723 2016-08-15T15:37:44Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Knox-starts-but-fails-to-handshake-no-cipher-suites-in/m-p/161108#M36671 <P>There could be a problem with the certificate itself. I recommend regenerating it and trying again. You can follow instructions in the Apache Knox Users Guide to generate a self-signed certificate:</P><P><A href="http://knox.apache.org/books/knox-0-6-0/user-guide.html#Generating+a+self-signed+cert+for+use+in+testing+or+development+environments" target="_blank">http://knox.apache.org/books/knox-0-6-0/user-guide.html#Generating+a+self-signed+cert+for+use+in+testing+or+development+environments</A></P><P>If you want to use a more legitimate certificate you can generate and sign it yourself with OpenSSL or from a CA, and follow the steps in the next section of the guide, <A href="http://knox.apache.org/books/knox-0-6-0/user-guide.html#Using+a+CA+Signed+Key+Pair">Using a CA Signed Key Pair</A>.</P> Tue, 16 Aug 2016 00:48:36 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Knox-starts-but-fails-to-handshake-no-cipher-suites-in/m-p/161108#M36671 amiller 2016-08-16T00:48:36Z