Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

After Operating System Security Patching, get SSL exception

After Operating System Security Patching, get SSL exception

Explorer

Hi Team,

We applied OS level security only updates to nodes running our Hadoop Cluster. After security update were applied, started getting nio:720 - javax.net.ssl.SSLException:

I can't perform Cluster Operations through Ambari. All services are Yellow and start all/stop all greyed out.

Any solution? Appreciate any help/support in advance. I suspect one of the packages openssl, python or jdk got updated but not sure which package.

Regards

Anil Khiani

4 REPLIES 4
Highlighted

Re: After Operating System Security Patching, get SSL exception

Super Collaborator

Hi @Anil Khiani,

Looks you are using the "TLS 1.0" version certificates and the update of the "OpenSSL/JDK Module" module in the server stoped supporting the same.

before you sort out your certificate issue, for time being you can use the Non-SSL communication method between Ambari-server and Ambari-Agents by setting(disabling two way ssl) security.server.two_way_ssl=false in /etc/ambari-server/conf/ambari.properties

Hope this helps!!

Highlighted

Re: After Operating System Security Patching, get SSL exception

Explorer

Thanks @bkosaraju. Tried with no luck. Checked ambari-server logs and get

28 Sep 2017 01:05:27,940WARN [qtp-ambari-agent-57] nio:720 - javax.net.ssl.SSLException: Received fatal alert: unknown_ca

Highlighted

Re: After Operating System Security Patching, get SSL exception

Super Mentor

@Anil Khiani

Can you please try this:

Edit the /etc/python/cert-verification.cfg and change the verify=disable and then restart ambari agents.

.

It might be related to some OS level patching you might have done which affects Python Security as well. If you are using RHEL then please refer to: https://access.redhat.com/errata/RHSA-2017:1868 to verify if you applied the mentioned fix.

.

You also might want to refer to a thread to match your complete error trace https://community.hortonworks.com/questions/120861/ambari-agent-ssl-certificate-verify-failed-certif...

Highlighted

Re: After Operating System Security Patching, get SSL exception

Explorer

Thanks @Jay SenSharma. Indeed, Edit the /etc/python/cert-verification.cfg and change the verify=disable and then restart ambari agents helped. I got production server. Is it recommended approach to disable cert-verification.

Don't have an account?
Coming from Hortonworks? Activate your account here