Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Issue while enabling Ranger Admin HA (SSL is enabled)

Highlighted

Issue while enabling Ranger Admin HA (SSL is enabled)

Expert Contributor

Hi,

I'm trying to enable Ranger HA where Ranger admin & plugins ssl is enabled. I have configured load-balancer in one of the node and installed additional Ranger admin. But when I try to login to Ranger UI through load-balancer IP, I'm getting below issue.

106483-1550680119118.png

Load-balancer server IP address using https protocol:

106532-1550684046777.png

Node details:

Ranger Admin: https://ranger_admin_IP1:6182
Additional Ranger Admin : https://ranger_admin_IP2:6182
Load-balancer : https://LB_IP:443

106492-1550685710271.png

From load-balancer node, I have executed the below commands and could see the results as below.

$curl -s -o /dev/null -w'%{http_code}' --negotiate -u: -k https://ranger_admin_IP1:6182/login.jsp
200
$curl -s -o /dev/null -w'%{http_code}' --negotiate -u: -k https://ranger_admin_IP2:6182/login.jsp
200
$curl -s -o /dev/null -w'%{http_code}' --negotiate -u: -k https://LB_IP/login.jsp
404


I have updated the Ranger External URL as "https://LB_IP:443" and I could see the below alert in Ranger Admin service.

106531-1550681003455.png


Please find the Load-balancer configuration below and seems to be issue with configuration.

Self-signed certs(load-balancer node):

$ ls -lrt /usr/local/apache2/conf/

-rw-r--r-- 1 root root  1679 Feb 20 07:45 server.key
-rw-r--r-- 1 root root  1338 Feb 20 10:22 server.crt

httpd.conf:

ServerRoot "/usr/local/apache2"
Listen 88

LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule socache_dbm_module modules/mod_socache_dbm.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule filter_module modules/mod_filter.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so


Include conf/extra/httpd-ssl.conf
Include /usr/local/apache2/conf/ranger-lb-ssl.conf

httpd-ssl.conf:

Listen 443
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

<VirtualHost _default_:443>
DocumentRoot "/usr/local/apache2/htdocs"
ErrorLog "/usr/local/apache2/logs/error_log"
TransferLog "/usr/local/apache2/logs/access_log"

SSLEngine on
SSLCertificateFile "/usr/local/apache2/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"

ranger-lb-ssl.conf:

<VirtualHost *:443>

        SSLEngine on
        SSLProxyEngine on
        SSLCertificateFile /usr/local/apache2/conf/server.crt
        SSLCertificateKeyFile /usr/local/apache2/conf/server.key

        #SSLCACertificateFile /usr/local/apache2/conf/ranger_lb_crt.pem
        #SSLProxyCACertificateFile /usr/local/apache2/conf/ranger_lb_crt.pem
        SSLVerifyClient optional
        #SSLVerifyClient require
        SSLOptions +ExportCertData
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
        ProxyRequests off
        ProxyPreserveHost off

        Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED

        <Proxy balancer://rangercluster>
               BalancerMember https://ranger_admin_IP1:6182 loadfactor=1 route=1
               BalancerMember https://ranger_admin_IP2:6182 loadfactor=1 route=2


                Order Deny,Allow
                Deny from none
                Allow from all

                ProxySet lbmethod=byrequests scolonpathdelim=On stickysession=ROUTEID maxattempts=1 failonstatus=500,501,502,503 nofailover=Off
        </Proxy>

        # balancer-manager
        # This tool is built into the mod_proxy_balancer
        # module and will allow you to do some simple
        # modifications to the balanced group via a gui
        # web interface.
        <Location /balancer-manager>
                #RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
                SetHandler balancer-manager
                Order deny,allow
                Allow from all
        </Location>

       ProxyPass /balancer-manager !
       ProxyPass / balancer://rangercluster/
       ProxyPassReverse / balancer://rangercluster/

</VirtualHost>

$cat /usr/local/apache2/logs/access_log

xx.xx.xx.xx - - [20/Feb/2019:17:22:08 +0000] "GET /login.jsp HTTP/1.1" 404 207
xx.xx.xx.xx - - [20/Feb/2019:17:22:57 +0000] "GET /login.jsp HTTP/1.1" 404 207
xx.xx.xx.xx - - [20/Feb/2019:17:23:08 +0000] "GET /login.jsp HTTP/1.1" 404 207

$cat /usr/local/apache2/logs/error_log

[Wed Feb 20 12:57:00.255350 2019] [ssl:error] [pid 17473] [client xx.xx.xx.xx:65502] AH02039: Certificate Verification: Error (20): unable to get local issuer certificate
[Wed Feb 20 13:28:23.544429 2019] [mpm_prefork:notice] [pid 95071] AH00173: SIGHUP received.  Attempting to restart
[Wed Feb 20 13:28:23.559039 2019] [mpm_prefork:notice] [pid 95071] AH00163: Apache/2.4.16 (Unix) OpenSSL/1.0.2k-fips configured -- resuming normal operations
[Wed Feb 20 13:28:23.559063 2019] [core:notice] [pid 95071] AH00094: Command line: '/usr/local/apache2/bin/httpd'
[Wed Feb 20 13:29:14.414809 2019] [mpm_prefork:notice] [pid 95071] AH00173: SIGHUP received.  Attempting to restart
[Wed Feb 20 13:29:14.430214 2019] [mpm_prefo

Any help would be greatly appreciated!!!.

Thank you.