10-04-2018 01:25 PM - edited 10-04-2018 01:33 PM
I am seeing lots of these WARN in cloudera manager server logs. Any idea how to fix these ?
And i dont know why its says unknown CA. Becasue the cert is valid with a SAN alias
2018-10-05 05:20:39,242 WARN 94352479@scm-web-22:org.mortbay.log: javax.net.ssl.SSLException: Received fatal alert: unknown_ca
10-04-2018 02:25 PM
That indicates there is a client communicating via TLS to CM but that client does not trust the signer of the Cloudera Manager certificate.
The fact that the thread is scm-web-22 indicates that this is a connection to Cloudera Manager on port 7183.
The trouble is that there is not a good way of identifying what IP the failed client requests are coming from.
I'd start by considering what talks to Cloudera Manager on port 7183.
The first that comes to mind are all the Management Service roles (Service Monitor, Host Montor, Navigator, etc.)
If you enable TLS in Cloudera Manager's web UI, you need to make sure you have added a valid truststore to the following:
Cloudera Management Service --> Configuration
TLS/SSL Client Truststore File Location
Cloudera Manager Server TLS/SSL Certificate Trust Store Password
After that you will need to restart the Management Service (if you don't already have one)
If you already have trust configured, find out if you have any clients making API calls to CM perhaps.
10-12-2018 03:19 AM
I know the client(zabbix) that is making an API call and the truststore is configured correctly. I can login with zabbixuser/password via cloudera mananger and it works fine. Ldap is configured with port 389.
10-12-2018 09:40 AM
If none of your clients is breaking and everything looks healthy in Cloudera Manager, then it may not be necessary to dig deeper at this time. If you do want to, you could do a tcpdump on port 7183 on your CM host... let it run for a bit then read it in WireShark to try to track down which SSL handshakes are failing and what the client is.