Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

OpenSSL compatibility

Solved Go to solution
Highlighted

Re: OpenSSL compatibility

New Contributor

[ RESOLVED ]

Gone through same issue only when we are using oVirt Virtualization For our cluster deployment.

Only following solution resolved the problem (Thanks to @bing lv and @Deven Fan:

By adding below config in [security] section of

vi /etc/ambari-agent/conf/ambari-agent.ini
force_https_protocol=PROTOCOL_TLSv1_2
vi /etc/python/cert-verification.cfg 
[https] 
verify=disable

Re: OpenSSL compatibility

New Contributor

I have the same issues on AWS servers. I'm going through ambari wizard and I always get failed status. In error as usual:

ERROR 2018-07-28 14:12:35,131 NetUtil.py:88 - EOF occurred in violation of protocol (_ssl.c:579)
ERROR 2018-07-28 14:12:35,131 NetUtil.py:89 - SSLError: Failed to connect. Please check openssl library versions. 
Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 for more details.
WARNING 2018-07-28 14:12:35,132 NetUtil.py:116 - Server at https://ip-172-31-0-xx.eu-west-1.compute.internal:8440 is not reachable, sleeping for 10 seconds...
', None)
('WARNING 2018-07-28 14:12:32,307 NetUtil.py:116 - Server at https://ip-172-31-0-xx.eu-west-1.compute.internal:8440 is not reachable, sleeping for 10 seconds... 
INFO 2018-07-28 14:12:32,307 HeartbeatHandlers.py:115 - Stop event received

I've tried adding in /etc/python/cert-verification.cfg

[https]
verify=disable

I've tried adding in /etc/amabri-agent/conf/ambari-agent.in

[security]
force_https_protocol=PROTOCOL_TLSv1_2

I've restarted agents still the same error :( Any ideas? :)

Re: OpenSSL compatibility

New Contributor

Hello

I've just add these two line below under security section and it works
[security]
ssl_verify_cert=0
force_https_protocol=PROTOCOL_TLSv1_2

Re: OpenSSL compatibility

New Contributor

Ok for future users :)

Check if certyficate is generated by ambari server from one of the nodes:

openssl s_client -connect server_address:8440

corect results (similar):

---Server certificate-----BEGIN CERTIFICATE-----

MIIFnDCCA4SgAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMQswCQYDVQQGEwJYWDEV
.................
.................

If you are not receiving corect handshake you need to verify ambari-server.ini (ambari server):

vi /etc/ambari-server/conf/ambari.properties

and # the line with TLS cyphers :)

,

Ok for future users :)

Check if certyficate is generated by ambari server from one of the nodes:

openssl s_client -connect server_address:8440

corect results (similar):

---Server certificate-----BEGIN CERTIFICATE-----

MIIFnDCCA4SgAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMQswCQYDVQQGEwJYWDEV
.................
.................

If you are not receiving corect handshake you need to verify ambari-server.ini (ambari server):

vi /etc/ambari-server/conf/ambari.properties

and # the line with TLS cyphers :)