Support Questions
Find answers, ask questions, and share your expertise

Certificate errors After enabling Auto-TLS on existing cluster

New Contributor

I've enabled Auto-TLS on an existing CDP 7.1.3 cluster as instructed in https://blog.cloudera.com/auto-tls-in-cloudera-data-platform-data-center/ option 2b.

Initially after completing the wizard and restarting CM agent and servers agent heartbeat was lost due to missing agent certificates from truststore. I was able to fix this by adding hosts to trustore "Cloudera Manager TLS/SSL Client Trust Store File" /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks with Java Keytool.

 

However now I'm observing some oddities in services. - YARN, Kafka seem to report in their Role Log at server startup (Error 403 Broken pipe (Write failed) the server declined access to the page or resource.) - If I try to access any logs in the cluster via CM GUI (Clusters -> Service -> Instances -> Any role -> Log files -> Any log -> Download full log ) I get the following message "HTTP ERROR 403 Problem accessing /cmf/process/all/logs/download. Reason: Received fatal alert: unsupported_certificate The server declined access to the page or resource."

Other services that I'm observing this is Kafka (connect role) and HDFS (namenode RPC).

 

Any ideas where should I look at?


cluster_restart_YARN_certificate_error.png
1 ACCEPTED SOLUTION

Accepted Solutions

New Contributor

Talking to myself but found out that my internal CA signed certificate lacked TLS Web Agent Authentication. After signing the CSR with TLS Web Agent Authentication and TLS Web Server Authentication and rerunning the wizard I was able to proceed.

View solution in original post

1 REPLY 1

New Contributor

Talking to myself but found out that my internal CA signed certificate lacked TLS Web Agent Authentication. After signing the CSR with TLS Web Agent Authentication and TLS Web Server Authentication and rerunning the wizard I was able to proceed.

View solution in original post