Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ambari agent error TLSV1 openSSL

avatar
Contributor

Hello!
I installed the Ambari server and it's agents (HDP-3.0.0) on the my servers (Ubuntu 18.04, Python 2.7.12)

I see error in the ambari agent log file:

[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:590)

SSLError: Failed to connect. Please check openssl library versions.

I set force_https_protocol=PROTOCOL_TLSv1_2 into ambari-agent.ini file, but it not resolved this issue...

My openSSL: OpenSSL 1.0.2g 1 Mar 2016

Can anybody help me?

1 ACCEPTED SOLUTION

avatar
Contributor

HI!

I solved my issue... I had strange FQDN's of my servers (ended of dot), I could connected through ssh but I had issue in Ambari. I changed FQDN's and resolve my issue.

Thanks all for your time.

View solution in original post

8 REPLIES 8

avatar

Hello @Serg Serg!

Could you check your ambari-server logs, to see if you have more details?
And also, if you have more than one JDK installed check if it's set to the same JDK version asked by Ambari.

BTW, take a look at this link:

https://community.hortonworks.com/articles/188269/javapython-updates-and-ambari-agent-tls-settings.h...

And just asking to confirm, did you restart your ambari-agent after the changes?

Hope this helps!

avatar
Master Mentor

@Serg Serg

Even after following the Article: javapython-updates-and-ambari-agent-tls-settings

If you still see the SSL error then please refer to the below article : JDK Changes Causing Ambari Server/Agent Registration

Please check the following file isnide your Ambari Server to verify some of the algorithms. To ensure that it does not have '3DES_EDE_CBC'

# grep 'jdk.tls.disabledAlgorithms' $JAVA_HOME/jre/lib/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \                
EC keySize < 224, DES40_CBC, RC4_40

Here the $JAVA_HOME value should be the one which is mentioned in the "java.home" property of ambari.properties file.

Example:

# grep 'java.home' /etc/ambari-server/conf/ambari.properties
java.home=/usr/jdk64/jdk1.8.0_112

.

So can you please share your exact java version details as well ? Along with ambari-agent logs and ambari.properties file.

avatar
Contributor

Hello!

My ambari-server and it's agent locate on the same server. Both configured as non-root user start. Ambari-agent was installed manualy.

> javac -version
javac 1.8.0_181
> java -version
java version "1.8.0_181"
Java(TM) SE Runtime Environment (build 1.8.0_181-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode)
> echo $JAVA_HOME
/usr/jdk64/jdk1.8.0_181
> echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/usr/jdk64/jdk1.8.0_181/bin
> ambari.properties
java.home=/usr/jdk64/jdk1.8.0_181
jdk.name=jdk-8u181-linux-x64.tar.gz
jdk1.8.dest-file=jdk-8u181-linux-x64.tar.gz
jdk1.8.home=/usr/jdk64/jdk1.8.0_181
stack.java.home=/usr/jdk64/jdk1.8.0_181
stack.jdk.name=jdk-8u181-linux-x64.tar.gz
> grep 'jdk.tls.disabledAlgorithms' $JAVA_HOME/jre/lib/security/java.security
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \

I checked the ambari-server log but I not found error messages (only info without intresting things).

Also, I set into /etc/python/cert-verification.cfg:

[https]
verify=disable

Unfortunatly, I still see error on ambari-agent log:

[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:590)

SSLError: Failed to connect. Please check openssl library versions.

avatar

Hmmm, @Serg Serg so let's try to see what do you have in your python ssl libs.

python2 --version 
#Create a file get_ssl_protocols.py 
#!/usr/bin/env python 
import ssl; 
for i in dir(ssl): 
	if i.startswith("PROTOCOL"): 
		print(i) 
#Then, let's apply full mask permission to the py script
chmod 777 get_ssl_protocols.py 
#Then send us the output of the below command : 
python2 ./get_ssl_protocols.py <br>

It should appear the following output:

[root@node1 ~]# python2 ./python_ssl.py 
PROTOCOL_SSLv23
PROTOCOL_SSLv3
PROTOCOL_TLSv1
PROTOCOL_TLSv1_1
PROTOCOL_TLSv1_2<br>

Hope this helps!

avatar
Contributor

@Vinicius Higa Murakami

PROTOCOL_SSLv23
PROTOCOL_TLSv1
PROTOCOL_TLSv1_1
PROTOCOL_TLSv1_2

avatar

Hi @Serg Serg!
What do you have for the following line?

python2 -c "import urllib2,json; print(json.loads(urllib2.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])"

In my case, I've got TLS 1.2

And also, share with us the following:

openssl ciphers -v | awk '{print $2}' | sort | uniq -u

avatar
Contributor

Hi Vinicius Higa Murakami !

# python2 -c "import urllib2,json; print(json.loads(urllib2.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])"
> TLS 1.2
# openssl ciphers -v | awk '{print $2}' | sort | uniq
> SSLv3
> TLSv1.2

Is there way enable "debug mode" for the ambari-agent and see how it do connect to the server?

avatar
Contributor

HI!

I solved my issue... I had strange FQDN's of my servers (ended of dot), I could connected through ssh but I had issue in Ambari. I changed FQDN's and resolve my issue.

Thanks all for your time.