Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ambari agent error TLSV1 openSSL

Solved Go to solution
Highlighted

Ambari agent error TLSV1 openSSL

Explorer

Hello!
I installed the Ambari server and it's agents (HDP-3.0.0) on the my servers (Ubuntu 18.04, Python 2.7.12)

I see error in the ambari agent log file:

[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:590)

SSLError: Failed to connect. Please check openssl library versions.

I set force_https_protocol=PROTOCOL_TLSv1_2 into ambari-agent.ini file, but it not resolved this issue...

My openSSL: OpenSSL 1.0.2g 1 Mar 2016

Can anybody help me?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Ambari agent error TLSV1 openSSL

Explorer

HI!

I solved my issue... I had strange FQDN's of my servers (ended of dot), I could connected through ssh but I had issue in Ambari. I changed FQDN's and resolve my issue.

Thanks all for your time.

View solution in original post

8 REPLIES 8
Highlighted

Re: Ambari agent error TLSV1 openSSL

Hello @Serg Serg!

Could you check your ambari-server logs, to see if you have more details?
And also, if you have more than one JDK installed check if it's set to the same JDK version asked by Ambari.

BTW, take a look at this link:

https://community.hortonworks.com/articles/188269/javapython-updates-and-ambari-agent-tls-settings.h...

And just asking to confirm, did you restart your ambari-agent after the changes?

Hope this helps!

Highlighted

Re: Ambari agent error TLSV1 openSSL

Super Mentor

@Serg Serg

Even after following the Article: javapython-updates-and-ambari-agent-tls-settings

If you still see the SSL error then please refer to the below article : JDK Changes Causing Ambari Server/Agent Registration

Please check the following file isnide your Ambari Server to verify some of the algorithms. To ensure that it does not have '3DES_EDE_CBC'

# grep 'jdk.tls.disabledAlgorithms' $JAVA_HOME/jre/lib/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \                
EC keySize < 224, DES40_CBC, RC4_40

Here the $JAVA_HOME value should be the one which is mentioned in the "java.home" property of ambari.properties file.

Example:

# grep 'java.home' /etc/ambari-server/conf/ambari.properties
java.home=/usr/jdk64/jdk1.8.0_112

.

So can you please share your exact java version details as well ? Along with ambari-agent logs and ambari.properties file.

Highlighted

Re: Ambari agent error TLSV1 openSSL

Explorer

Hello!

My ambari-server and it's agent locate on the same server. Both configured as non-root user start. Ambari-agent was installed manualy.

> javac -version
javac 1.8.0_181
> java -version
java version "1.8.0_181"
Java(TM) SE Runtime Environment (build 1.8.0_181-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode)
> echo $JAVA_HOME
/usr/jdk64/jdk1.8.0_181
> echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/usr/jdk64/jdk1.8.0_181/bin
> ambari.properties
java.home=/usr/jdk64/jdk1.8.0_181
jdk.name=jdk-8u181-linux-x64.tar.gz
jdk1.8.dest-file=jdk-8u181-linux-x64.tar.gz
jdk1.8.home=/usr/jdk64/jdk1.8.0_181
stack.java.home=/usr/jdk64/jdk1.8.0_181
stack.jdk.name=jdk-8u181-linux-x64.tar.gz
> grep 'jdk.tls.disabledAlgorithms' $JAVA_HOME/jre/lib/security/java.security
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \

I checked the ambari-server log but I not found error messages (only info without intresting things).

Also, I set into /etc/python/cert-verification.cfg:

[https]
verify=disable

Unfortunatly, I still see error on ambari-agent log:

[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:590)

SSLError: Failed to connect. Please check openssl library versions.

Highlighted

Re: Ambari agent error TLSV1 openSSL

Hmmm, @Serg Serg so let's try to see what do you have in your python ssl libs.

python2 --version 
#Create a file get_ssl_protocols.py 
#!/usr/bin/env python 
import ssl; 
for i in dir(ssl): 
	if i.startswith("PROTOCOL"): 
		print(i) 
#Then, let's apply full mask permission to the py script
chmod 777 get_ssl_protocols.py 
#Then send us the output of the below command : 
python2 ./get_ssl_protocols.py <br>

It should appear the following output:

[root@node1 ~]# python2 ./python_ssl.py 
PROTOCOL_SSLv23
PROTOCOL_SSLv3
PROTOCOL_TLSv1
PROTOCOL_TLSv1_1
PROTOCOL_TLSv1_2<br>

Hope this helps!

Highlighted

Re: Ambari agent error TLSV1 openSSL

Explorer

@Vinicius Higa Murakami

PROTOCOL_SSLv23
PROTOCOL_TLSv1
PROTOCOL_TLSv1_1
PROTOCOL_TLSv1_2
Highlighted

Re: Ambari agent error TLSV1 openSSL

Hi @Serg Serg!
What do you have for the following line?

python2 -c "import urllib2,json; print(json.loads(urllib2.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])"

In my case, I've got TLS 1.2

And also, share with us the following:

openssl ciphers -v | awk '{print $2}' | sort | uniq -u
Highlighted

Re: Ambari agent error TLSV1 openSSL

Explorer

Hi Vinicius Higa Murakami !

# python2 -c "import urllib2,json; print(json.loads(urllib2.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])"
> TLS 1.2
# openssl ciphers -v | awk '{print $2}' | sort | uniq
> SSLv3
> TLSv1.2

Is there way enable "debug mode" for the ambari-agent and see how it do connect to the server?

Highlighted

Re: Ambari agent error TLSV1 openSSL

Explorer

HI!

I solved my issue... I had strange FQDN's of my servers (ended of dot), I could connected through ssh but I had issue in Ambari. I changed FQDN's and resolve my issue.

Thanks all for your time.

View solution in original post

Don't have an account?
Coming from Hortonworks? Activate your account here