Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Level 2: Enabling Cloudera Manager Agent Hosts to Authenticate the Server's Certificate ---Fails !

Solved Go to solution
Highlighted

Level 2: Enabling Cloudera Manager Agent Hosts to Authenticate the Server's Certificate ---Fails !

New Contributor

Hi ,

I am running free trial cloudera in pseudo-distributed mod (One host, the server and agent are the same).i am trying now to enable tls/ssl for my cluster

-Level 1 succedeed https://datastore.xxx.fr:7183 tuns correctly with no problem 

 

When i configure level N2 of tls/ssl ,cloudera manager agent fails to connect !.

In CM server fails to have heartbeat:

when i checked :tail -f /var/log/cloudera-scm-agent/cloudera-scm-agent.log

I got ERROR :

File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 292, in connect_ssl
return m2.ssl_connect(self.ssl, self._timeout)
SSLError: certificate verify failed

 

The agent config files :

server_host=datastore.xxx.fr

server_port=7182

 

# Use TLS and certificate validation when connecting to the CM server.
use_tls=1

max_cert_depth=9

verify_cert_file=/opt/cloudera/security/x509/cmhost.pem

 

---the cmhost.pem get my certifcate correctly

---when i run :

 

sudo openssl s_client -connect datastore.xxx.fr:7182 < /opt/cloudera/security/x509/cmhost.pem

 

i got :

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = xxx.fr
verify return:1
---
Certificate chain
0 s:/CN=xxx.fr
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

........

........

Verify return code: 0 (ok)
---
DONE

?

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Level 2: Enabling Cloudera Manager Agent Hosts to Authenticate the Server's Certificate ---Fails !

New Contributor

Hi ,

When i passed to level3 .all seems good and well-configured .

The error is not been  re-showen again .

 

Thanks.

View solution in original post

4 REPLIES 4

Re: Level 2: Enabling Cloudera Manager Agent Hosts to Authenticate the Server's Certificate ---Fails !

Expert Contributor

Hi,

 

We no longer refer to levels in our documentation but based on what is posted here it would appear as though are on Step 4 of our current documentation for manual certificate configuration. While we understand that you might not be able to provide the full raw contents of your certificate in this forum please ensure that the certificates you are attempting to use have the following two x509 Extended Key Usage attributes. These 2 EKUs must be present in order to use Client/Server Authentication which is the final step of deployment should you chose to go that far. These two EKUs are noted in our documentation.

 

 X509v3 Extended Key Usage:
TLS Web Client Authentication

TLS Web Server Authentication

 

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/how_to_configure_cm_tls.html#concept...

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/how_to_configure_cm_tls.html#topic_3

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/how_to_configure_cm_tls.html

 

Also please make sure that there are no leading or trailing spaces on any configuration parameters within the agent configuration file. If your certificate is non-single root, signed by an intermediate, you may have better success using the verify_cert_dir parameter so that all of your CA certificates including the root certificate are present. When using the verify_cert_dir parameter you must use c_rehash provided by openssl-perl.

---
Customer Operations Engineer | Security SME | Cloudera, Inc.
Highlighted

Re: Level 2: Enabling Cloudera Manager Agent Hosts to Authenticate the Server's Certificate ---Fails !

New Contributor

Hi ,

 

Thanks for your support and all cloudera team.

i resolved that by ,adding my rootca to my cloudera keystore and trustore .Then i reconfigured  the agent config.ini to point to the rootca.pem .

But when i inspect host i got this error .(i am using cdh 6.1.1 on ubuntu 16.04)

ccomm1.png

 

ccomm2.png

 

  

 

Highlighted

Re: Level 2: Enabling Cloudera Manager Agent Hosts to Authenticate the Server's Certificate ---Fails !

Expert Contributor

Hello,

 

Take a look at the Agent configuration on the reported host and make sure that use_tls is set to 1 and not 0. This error usually happens when Cloudera Manager expects TLS from the agent (Based on enabled options
) but the agent is continuing to send data using clear text. If the parameter is set to 1 please restart the agent to ensure that it is set properly.

 

The agent performs multiple task some of these task are performed with data transmitted through the heartbeat others are handled by a pull method through the agent.

---
Customer Operations Engineer | Security SME | Cloudera, Inc.
Highlighted

Re: Level 2: Enabling Cloudera Manager Agent Hosts to Authenticate the Server's Certificate ---Fails !

New Contributor

Hi ,

When i passed to level3 .all seems good and well-configured .

The error is not been  re-showen again .

 

Thanks.

View solution in original post

Don't have an account?
Coming from Hortonworks? Activate your account here