Support Questions

Serg · ‎08-15-2018

Hello!
I installed the Ambari server and it's agents (HDP-3.0.0) on the my servers (Ubuntu 18.04, Python 2.7.12)

I see error in the ambari agent log file:

[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:590)

SSLError: Failed to connect. Please check openssl library versions.

I set force_https_protocol=PROTOCOL_TLSv1_2 into ambari-agent.ini file, but it not resolved this issue...

My openSSL: OpenSSL 1.0.2g 1 Mar 2016

Can anybody help me?

Serg · ‎08-21-2018

HI!

I solved my issue... I had strange FQDN's of my servers (ended of dot), I could connected through ssh but I had issue in Ambari. I changed FQDN's and resolve my issue.

Thanks all for your time.

View solution in original post

vmurakami · ‎08-16-2018

Hello @Serg Serg!

Could you check your ambari-server logs, to see if you have more details?
And also, if you have more than one JDK installed check if it's set to the same JDK version asked by Ambari.

BTW, take a look at this link:

https://community.hortonworks.com/articles/188269/javapython-updates-and-ambari-agent-tls-settings.h...

And just asking to confirm, did you restart your ambari-agent after the changes?

Hope this helps!

jsensharma · ‎08-16-2018

@Serg Serg

Even after following the Article: javapython-updates-and-ambari-agent-tls-settings

If you still see the SSL error then please refer to the below article : JDK Changes Causing Ambari Server/Agent Registration

Please check the following file isnide your Ambari Server to verify some of the algorithms. To ensure that it does not have '3DES_EDE_CBC'

# grep 'jdk.tls.disabledAlgorithms' $JAVA_HOME/jre/lib/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \                
EC keySize < 224, DES40_CBC, RC4_40

Here the $JAVA_HOME value should be the one which is mentioned in the "java.home" property of ambari.properties file.

Example:

# grep 'java.home' /etc/ambari-server/conf/ambari.properties
java.home=/usr/jdk64/jdk1.8.0_112

.

So can you please share your exact java version details as well ? Along with ambari-agent logs and ambari.properties file.

Serg · ‎08-16-2018

Hello!

My ambari-server and it's agent locate on the same server. Both configured as non-root user start. Ambari-agent was installed manualy.

> javac -version
javac 1.8.0_181

> java -version
java version "1.8.0_181"
Java(TM) SE Runtime Environment (build 1.8.0_181-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode)

> echo $JAVA_HOME
/usr/jdk64/jdk1.8.0_181

> echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/usr/jdk64/jdk1.8.0_181/bin

> ambari.properties
java.home=/usr/jdk64/jdk1.8.0_181
jdk.name=jdk-8u181-linux-x64.tar.gz
jdk1.8.dest-file=jdk-8u181-linux-x64.tar.gz
jdk1.8.home=/usr/jdk64/jdk1.8.0_181
stack.java.home=/usr/jdk64/jdk1.8.0_181
stack.jdk.name=jdk-8u181-linux-x64.tar.gz

> grep 'jdk.tls.disabledAlgorithms' $JAVA_HOME/jre/lib/security/java.security
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \

I checked the ambari-server log but I not found error messages (only info without intresting things).

Also, I set into /etc/python/cert-verification.cfg:

[https]
verify=disable

Unfortunatly, I still see error on ambari-agent log:

[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:590)

SSLError: Failed to connect. Please check openssl library versions.

vmurakami · ‎08-16-2018

Hmmm, @Serg Serg so let's try to see what do you have in your python ssl libs.

python2 --version 
#Create a file get_ssl_protocols.py 
#!/usr/bin/env python 
import ssl; 
for i in dir(ssl): 
	if i.startswith("PROTOCOL"): 
		print(i) 
#Then, let's apply full mask permission to the py script
chmod 777 get_ssl_protocols.py 
#Then send us the output of the below command : 
python2 ./get_ssl_protocols.py <br>

It should appear the following output:

[root@node1 ~]# python2 ./python_ssl.py 
PROTOCOL_SSLv23
PROTOCOL_SSLv3
PROTOCOL_TLSv1
PROTOCOL_TLSv1_1
PROTOCOL_TLSv1_2<br>

Hope this helps!

Serg · ‎08-17-2018

@Vinicius Higa Murakami

PROTOCOL_SSLv23
PROTOCOL_TLSv1
PROTOCOL_TLSv1_1
PROTOCOL_TLSv1_2

vmurakami · ‎08-17-2018

Hi @Serg Serg!
What do you have for the following line?

python2 -c "import urllib2,json; print(json.loads(urllib2.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])"

In my case, I've got TLS 1.2

And also, share with us the following:

openssl ciphers -v | awk '{print $2}' | sort | uniq -u

Serg · ‎08-20-2018

Hi Vinicius Higa Murakami !

# python2 -c "import urllib2,json; print(json.loads(urllib2.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])"
> TLS 1.2

# openssl ciphers -v | awk '{print $2}' | sort | uniq
> SSLv3
> TLSv1.2

Is there way enable "debug mode" for the ambari-agent and see how it do connect to the server?

Serg · ‎08-21-2018

HI!

I solved my issue... I had strange FQDN's of my servers (ended of dot), I could connected through ssh but I had issue in Ambari. I changed FQDN's and resolve my issue.

Thanks all for your time.

Cloudera Community

Support Questions

Ambari agent error TLSV1 openSSL