Support Questions

Dominic_kim · ‎06-11-2019

Hello

CDH 5.16

I am working on the Impala, HttpFS configuration.
I ask questions about errors during their configuration.
The common part of the error is that the certificate's DNS is based on the domain (* .caspi.linecorp.com), but the internally-called url is called with the server's FQDN, so there is an error in verifying the certificate.
HDFS & Yarn, Impala, and HttpFS.
I want to know how to set it up.
Below is an error message.

Impala

Could not connect to hostname:21050: [Errno 111] Connection refused (code THRIFTTRANSPORT): TTransportException('Could not connect tohostname:21050: [Errno 111] Connection refused',)

F0605 14:15:44.792534 159140 impalad-main.cc:81] Could not build messenger: Runtime error: could not verify certificate chain (error with cert: subject=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2, issuer=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA): unable to get issuer certificate . Impalad exiting.

HttpFS & Hue

Occurs when API calls are made internally in Hue to HttpFS(File Browser)

[11/Jun/2019 20:51:31 +0900] webhdfs ERROR Failed to determine superuser of WebHdfs at https://hostname:14000/webhdfs/v1: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)
Traceback (most recent call last):
File "/opt/cloudera/parcels/CDH-5.16.1-1.cdh5.16.1.p0.3/lib/hue/desktop/libs/hadoop/src/hadoop/fs/webhdfs.py", line 154, in superuser
sb = self.stats('/')
File "/opt/cloudera/parcels/CDH-5.16.1-1.cdh5.16.1.p0.3/lib/hue/desktop/libs/hadoop/src/hadoop/fs/webhdfs.py", line 291, in stats
res = self._stats(path)
File "/opt/cloudera/parcels/CDH-5.16.1-1.cdh5.16.1.p0.3/lib/hue/desktop/libs/hadoop/src/hadoop/fs/webhdfs.py", line 285, in _stats
raise ex
WebHdfsException: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)
[11/Jun/2019 20:51:31 +0900] exceptions_renderable ERROR Potential detail: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

Thanks

Jim Halfpenny · ‎07-18-2019

Hi,
In both of these cases it looks like the certificate validation has failed. This typically happens when the Certificate Authority (CA) certificate is missing, has incorrect permissions set or does not have the correct password set. Check that you have added any CA certificates required to your trust store; in this case you need th CA certificate for GlobalSign.

You will find details on how to configure TLS for these services in the Cloudera documentation.

https://www.cloudera.com/documentation/enterprise/5-16-x/topics/impala_ssl.html
https://www.cloudera.com/documentation/enterprise/5/latest/topics/cm_sg_ssl_hue.html

Regards,
Jim

bgooley · ‎07-31-2019

@Dominic_kim,

It might be more work, but it would be better to have a cluster where trust can be established. Clients expect that the server they connected to (whether FQDN, short name, or IP) will be included in the Subject Alternative Name extension or in the CN subject.

Note that recent releases of CM and CDH do support wildcard certificates so I'm not sure what the problem is in your case... we would need some more specific info.

That said, you can turn off validation in some places like Hue, but it is not so easily done in others. Depends on the client.

For Hue, I think you can turn off all validation by setting:

[desktop]

ssl_validate=False

If you don't have ssl_cert_ca_verify or other configuration in other sections, then they will look to the global "desktop" section setting. Restart Hue after making the change.

Cloudera Community

Support Questions

How do I not validate a TLS certificate?