Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ambari agents cannot connect to ambari-server after changing server keys and certificates..

Ambari agents cannot connect to ambari-server after changing server keys and certificates..

New Contributor

Hi guys,

After 2 days of Headaches I finally managed to change the certificates and keys of my ambarí-server, and I relaunched it in HTTPS.

Unfortunately, the dashboards doesn't show anything, all the agents, and no heartbeat is received from any service. I restarted all the agents and the server and there is not any progress, so I think its due to some certificciate misunderstanding between server and agents.. communication with server host is ok as you can see in the ping:

[clusteradmin@worker1 ~]$ ping master1
PING master1.pf0g2dnjye1ujcvq5102dppltf.ax.internal.cloudapp.net (172.31.0.4) 56(84) bytes of data.
64 bytes from master1.pf0g2dnjye1ujcvq5102dppltf.ax.internal.cloudapp.net (172.31.0.4): icmp_seq=1 ttl=64 time=0.539 ms


But after diving into agents log I can see this trace being repeated:
INFO 2017-07-21 14:33:46,880 NetUtil.py:60 - Connecting to https://master1:8440/ca
ERROR 2017-07-21 14:33:46,885 NetUtil.py:84 - EOF occurred in violation of protocol (_ssl.c:765)
ERROR 2017-07-21 14:33:46,886 NetUtil.py:85 - SSLError: Failed to connect. Please check openssl library versions.
Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 for more details.
WARNING 2017-07-21 14:33:46,886 NetUtil.py:112 - Server at https://master1:8440 is not reachable, sleeping for 10 seconds...
INFO 2017-07-21 14:33:56,886 NetUtil.py:60 - Connecting to https://master1:8440/ca
ERROR 2017-07-21 14:33:56,892 NetUtil.py:84 - EOF occurred in violation of protocol (_ssl.c:765)
ERROR 2017-07-21 14:33:56,892 NetUtil.py:85 - SSLError: Failed to connect. Please check openssl library versions.

Taking into account than Openssl version is the latest possible, maybe ¿should I put some keys or certificates on the agents? but what files? my crt or my ca.crt? my public key into their authorized_key files??

I am not very strong on ssh insights, so any help will be apreciatted.

Thanks in advance!!

3 REPLIES 3

Re: Ambari agents cannot connect to ambari-server after changing server keys and certificates..

Guru

Hello @david garcia,

I'm assuming that you have generated individual certificates for Ambari agents as well and you got them signed by the same CA.

Now please stop all the Ambari agents and follow these steps on each Ambari agents:

1. Copy Ambari Agent SSL artifacts (.key , .csr and .crt file) to /var/lib/ambari-agent/keys/

IMPORTANT to copy ca.crt to All Ambari Agenst hosts

2. Copy CA certificate (ca.crt) to /var/lib/ambari-agent/keys/

3. Start Ambari Agent

Hope that this should get you going.

Re: Ambari agents cannot connect to ambari-server after changing server keys and certificates..

New Contributor

Hi @Vipin Rathor,

I have generated all the ca,crt and csr stuff on ambari-server, but not in the agents, is that needed? i have browsed internet and didnt see anything related..

In that case, what are the steps to be done to do it with the same CA than in the server, should I copy it from the server to the agents, then generate them and then copy them?

Thanks for your help!

Re: Ambari agents cannot connect to ambari-server after changing server keys and certificates..

Guru

@david garcia,

Yes, you'll need to generate certificates for each Ambari agents as well.

You can generate them all at one place (like on Ambari server) and then distribute them to individual agent hosts. Please make sure that you keep CN (CommonName) same as FQDN of agent host.

Hope this helps !

Don't have an account?
Coming from Hortonworks? Activate your account here