Reply
New Contributor
Posts: 2
Registered: ‎01-24-2019

Auto-TLS and GCE

Hi,

 

i'm trying to enable Auto-TLS on Google Compute Engine for Cloudera Manager 6.1.0

# JAVA_HOME=/usr/java/jdk1.8.0_141-cloudera /opt/cloudera/cm-agent/bin/certmanager \
--location /opt/cloudera/CMCA setup --configure-services

command fails with the following error 

CSR Generation Errorcertmanager.log

ASN1_mbstring_ncopy:string too long:

 

/etc/hosts looks like this:

 

10.xxx.xxx.xxx cloudera-manager.europe-west1-b.c.xxxxxx-xxxxxx.internal cloudera-manager  # Added by Google

chars count:

 

 

$ echo 'cloudera-manager.europe-west1-b.c.xxxxxxx-xxxxxxx.internal' | wc -c
59

if i set hostname manually,

 

 

# hostnamectl set-hostname c-m

cloudera agents on slave machines are unable to download parcels due to subjectAltName mismatch

 

 

Failed fetching torrent: Peer certificate subjectAltName does not match host, expected c-m.europe-west1-b.c.xxxxxxx-xxxxxxx.internal, got DNS:c-m

Agent parcel download fail

 

 

So the question is how to add custom dns name to subjectAltName during certmanager setup and services configuration ?

 

Posts: 113
Topics: 0
Kudos: 15
Solutions: 11
Registered: ‎01-05-2015

Re: Auto-TLS and GCE

Hello,

 

I've reviewed the errors you have provided and this error appears to be coming from the underlying crypto library. According to RFC-5280 standards the CN and Description Fields each must not exceed 64 characters in length. This character limit is hard coded in the openSSL framework and cannot be altered without changing the source code within openSSL. The Subject Alt Name field has a much longer character limit.

 

Unfortunately the log data you provided is truncated and it is difficult to tell what precisely was being performed and with what options when the failure occured.

 

It would appear as though we use the following information to obtain the hostname for the CN field during the init process.

 

 hostname = socket.gethostname()

 

It's fairly trival to create a short online python command to see what this returns. Can you please use something like this in order to perform your word count on the output?

 

python -c "import socket; hostname = socket.gethostname(); print hostname;"

 

 

Customer Operations Engineer | Security SME | Cloudera, Inc.
Highlighted
New Contributor
Posts: 2
Registered: ‎01-24-2019

Re: Auto-TLS and GCE

details in quoted text

[scm@cloudera-manareg ~]$ sudo -i
[root@cloudera-manareg ~]# setenforce 0
[root@cloudera-manareg ~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
[root@cloudera-manareg ~]# cat /etc/centos-release
CentOS Linux release 7.6.1810 (Core)
[root@cloudera-manareg ~]# python -c "import socket; hostname = socket.gethostname(); print hostname;"
cloudera-manareg
[root@cloudera-manareg ~]# python -c "import socket; hostname = socket.gethostname(); print hostname;" | wc -c
17
[root@cloudera-manareg ~]# hostname
cloudera-manareg
[root@cloudera-manareg ~]# hostname | wc -c
17
[root@cloudera-manareg ~]# hostname -f
cloudera-manareg.europe-west1-c.c.xxxxxxxx-xxxxxx.internal
[root@cloudera-manareg ~]# hostname -f | wc -c
59
[root@cloudera-manareg ~]# ./cloudera-manager-installer.bin  --i-agree-to-all-licenses --noprompt --noreadme --nooptions
[root@cloudera-manareg ~]# yum -y install cloudera-manager-agent
[root@cloudera-manareg ~]# JAVA_HOME=/usr/java/jdk1.8.0_141-cloudera /opt/cloudera/cm-agent/bin/certmanager \
> --location /opt/cloudera/CMCA setup --configure-services
INFO:root:Logging to /var/log/cloudera-scm-agent/certmanager.log
Traceback (most recent call last):
  File "/opt/cloudera/cm-agent/bin/certmanager", line 11, in <module>
    load_entry_point('cmf==6.1.0', 'console_scripts', 'certmanager')()
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/tools/cert.py", line 2376, in main
    return certmanager(obj=argparse.Namespace())
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/click/core.py", line 716, in __call__
    return self.main(*args, **kwargs)
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/click/core.py", line 696, in main
    rv = self.invoke(ctx)
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/click/core.py", line 1060, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/click/core.py", line 889, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/click/core.py", line 534, in invoke
    return callback(*args, **kwargs)
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/click/decorators.py", line 27, in new_func
    return f(get_current_context().obj, *args, **kwargs)
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/tools/cert.py", line 2145, in setup
    ctx_obj.certmanager.init_internal_ca(config, override, rotate)
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/tools/cert.py", line 1181, in init_internal_ca
    gen_csr(csr_file, ca_key_file, password, subject, CA_CERT_KEYUSAGE, "")
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/tools/cert.py", line 554, in gen_csr
    raise Exception("Could not generate CSR")
Exception: Could not generate CSR

[root@cloudera-manareg ~]# cat /var/log/cloudera-scm-agent/certmanager.log
[25/Jan/2019 08:51:31 +0000] 4695 MainThread cert         INFO     SCM Certificate Manager
[25/Jan/2019 08:51:31 +0000] 4695 MainThread os_ops       INFO     Created directory /opt/cloudera/CMCA None None 0o755
[25/Jan/2019 08:51:31 +0000] 4695 MainThread os_ops       INFO     Created directory /opt/cloudera/CMCA/private cloudera-scm cloudera-scm 0o700
[25/Jan/2019 08:51:31 +0000] 4695 MainThread os_ops       INFO     Created directory /opt/cloudera/CMCA/trust-store cloudera-scm cloudera-scm 0o755
[25/Jan/2019 08:51:31 +0000] 4695 MainThread os_ops       INFO     Created directory /opt/cloudera/CMCA/hosts-key-store cloudera-scm cloudera-scm 0o700
[25/Jan/2019 08:51:31 +0000] 4695 MainThread os_ops       INFO     Created directory /opt/cloudera/CMCA/CMCA cloudera-scm cloudera-scm 0o700
[25/Jan/2019 08:51:31 +0000] 4695 MainThread os_ops       INFO     Created directory /opt/cloudera/CMCA/CMCA/ca-db cloudera-scm cloudera-scm 0o700
[25/Jan/2019 08:51:31 +0000] 4695 MainThread os_ops       INFO     Created directory /opt/cloudera/CMCA/CMCA/private cloudera-scm cloudera-scm 0o700
[25/Jan/2019 08:51:31 +0000] 4695 MainThread os_ops       INFO     Created directory /opt/cloudera/CMCA/CMCA/ca-db/newcerts cloudera-scm cloudera-scm 0o700
[25/Jan/2019 08:51:31 +0000] 4695 MainThread cert         ERROR    req failed for /opt/cloudera/CMCA/CMCA/private/ca_key.pem. Exit code: 1 Output:
problems making Certificate Request
140660216719248:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:158:maxsize=64

New Contributor
Posts: 1
Registered: ‎03-14-2019

Re: Auto-TLS and GCE

I am attempting to evaluate Cloudera Manager and am stepping through the Add Cluster-Installation steps on my Cloudera controller VMWare VM, and have run into this exact same problem in step 2 of Option 1 for Setup Auto-TLS.

 

 

Announcements