Support Questions
Find answers, ask questions, and share your expertise

How to renew certificates

How to renew certificates

New Contributor

I have installed CDH 6.3 with auto-TLS, so the cluster works with the certificates created and signed by CM with the internal CA.

Now I'm trying to renew the certificates before they expire.

As a first step I'm trying to set up the certificates for Cloudera Manager following the instructions provided here:

https://docs.cloudera.com/documentation/enterprise/latest/topics/how_to_configure_cm_tls.html

I'm using self-signed certificates so I've created an internal certificate authority.

I have generated and distributed the certificates as detailed in the sub-section "Generate TLS Certificates" and changed the configuration settings as described in the sub-section "Configure TLS for the Cloudera Manager Admin Console".

When I try to restart the Cloudera Management Service the operation fails and I see these error in the log file /var/log/cloudera-scm-firehose/mgmt-cmf-mgmt-SERVICEMONITOR-xxx-.xxx.xxx.log.out

 

 

 

 

2020-10-14 17:35:03,658 WARN com.cloudera.cmf.BasicScmProxy: Exception while getting fetch configDefaults hash: none
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found

 

 

 

 Is it possible to enable further debug information to see what certificates are involved and test them to see where the problem lies?

I would also check that my approach is correct: is it possible to manually configure TLS Encryption for Cloudera Manager and CDH services if the cluster was already configured with auto-TLS ?

 

Many thanks,

G.