After 2 days of Headaches I finally managed to change the certificates and keys of my ambarí-server, and I relaunched it in HTTPS.
Unfortunately, the dashboards doesn't show anything, all the agents, and no heartbeat is received from any service. I restarted all the agents and the server and there is not any progress, so I think its due to some certificciate misunderstanding between server and agents.. communication with server host is ok as you can see in the ping:
[clusteradmin@worker1 ~]$ ping master1 PING master1.pf0g2dnjye1ujcvq5102dppltf.ax.internal.cloudapp.net (172.31.0.4) 56(84) bytes of data. 64 bytes from master1.pf0g2dnjye1ujcvq5102dppltf.ax.internal.cloudapp.net (172.31.0.4): icmp_seq=1 ttl=64 time=0.539 msBut after diving into agents log I can see this trace being repeated:
INFO 2017-07-21 14:33:46,880 NetUtil.py:60 - Connecting to https://master1:8440/ca ERROR 2017-07-21 14:33:46,885 NetUtil.py:84 - EOF occurred in violation of protocol (_ssl.c:765) ERROR 2017-07-21 14:33:46,886 NetUtil.py:85 - SSLError: Failed to connect. Please check openssl library versions. Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 for more details. WARNING 2017-07-21 14:33:46,886 NetUtil.py:112 - Server at https://master1:8440 is not reachable, sleeping for 10 seconds... INFO 2017-07-21 14:33:56,886 NetUtil.py:60 - Connecting to https://master1:8440/ca ERROR 2017-07-21 14:33:56,892 NetUtil.py:84 - EOF occurred in violation of protocol (_ssl.c:765) ERROR 2017-07-21 14:33:56,892 NetUtil.py:85 - SSLError: Failed to connect. Please check openssl library versions.
Taking into account than Openssl version is the latest possible, maybe ¿should I put some keys or certificates on the agents? but what files? my crt or my ca.crt? my public key into their authorized_key files??
I am not very strong on ssh insights, so any help will be apreciatted.
Thanks in advance!!
Hello @david garcia,
I'm assuming that you have generated individual certificates for Ambari agents as well and you got them signed by the same CA.
Now please stop all the Ambari agents and follow these steps on each Ambari agents:
1. Copy Ambari Agent SSL artifacts (.key , .csr and .crt file) to /var/lib/ambari-agent/keys/
IMPORTANT to copy ca.crt to All Ambari Agenst hosts
2. Copy CA certificate (ca.crt) to /var/lib/ambari-agent/keys/
3. Start Ambari Agent
Hope that this should get you going.
Hi @Vipin Rathor,
I have generated all the ca,crt and csr stuff on ambari-server, but not in the agents, is that needed? i have browsed internet and didnt see anything related..
In that case, what are the steps to be done to do it with the same CA than in the server, should I copy it from the server to the agents, then generate them and then copy them?
Thanks for your help!
Yes, you'll need to generate certificates for each Ambari agents as well.
You can generate them all at one place (like on Ambari server) and then distribute them to individual agent hosts. Please make sure that you keep CN (CommonName) same as FQDN of agent host.