Support Questions

Find answers, ask questions, and share your expertise

OpenSSL compatibility

avatar

We recently patched Linux servers (RHEL 7.4). As a part of the patching we upgraded openSSL libraries (from 1.0.1e-60.el7_3.1.x86_64 to 1.0.2k-8.el7.x86_64). After completing the process, we saw Heartbeat Lost message in Ambari UI. When I tried to run ambari-agent restart command and got this message in log file:

INFO 2017-08-13 09:04:31,873 NetUtil.py:62 - Connecting to https://servername.com:8440/ca ERROR 2017-08-13 09:04:31,942 NetUtil.py:88 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) ERROR 2017-08-13 09:04:31,942 NetUtil.py:89 - SSLError: Failed to connect. Please check openssl library versions. Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 for more details. WARNING 2017-08-13 09:04:31,943 NetUtil.py:116 - Server at https://servername.com:8440 is not reachable, sleeping for 10 seconds...

Prior to patching, we had everything configured properly. We are using Apache Ambari 2.4.2.0.

Is there any compatibility issue with OpenSSL and Ambari?

Thanks,
Darko

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Darko Milovanovic

Your issue looks similar to : https://community.hortonworks.com/questions/120861/ambari-agent-ssl-certificate-verify-failed-certif...

So please check if you using Python version "python-2.7.5" or higher, if yes then you should try to either downgrade the python version to lower than python-2.7.5 as it causes this issue.

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

(OR)


Else you will need to following the steps mentioned in the following doc to fix the "certificate verify failed (_ssl.c" issue while using RHEL7: Controlling and troubleshooting certificate verification
https://access.redhat.com/articles/2039753#controlling-certificate-verification-7

.

View solution in original post

13 REPLIES 13

avatar

[ RESOLVED ]

Gone through same issue only when we are using oVirt Virtualization For our cluster deployment.

Only following solution resolved the problem (Thanks to @bing lv and @Deven Fan:

By adding below config in [security] section of

vi /etc/ambari-agent/conf/ambari-agent.ini
force_https_protocol=PROTOCOL_TLSv1_2
vi /etc/python/cert-verification.cfg 
[https] 
verify=disable

avatar
New Contributor

I have the same issues on AWS servers. I'm going through ambari wizard and I always get failed status. In error as usual:

ERROR 2018-07-28 14:12:35,131 NetUtil.py:88 - EOF occurred in violation of protocol (_ssl.c:579)
ERROR 2018-07-28 14:12:35,131 NetUtil.py:89 - SSLError: Failed to connect. Please check openssl library versions. 
Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 for more details.
WARNING 2018-07-28 14:12:35,132 NetUtil.py:116 - Server at https://ip-172-31-0-xx.eu-west-1.compute.internal:8440 is not reachable, sleeping for 10 seconds...
', None)
('WARNING 2018-07-28 14:12:32,307 NetUtil.py:116 - Server at https://ip-172-31-0-xx.eu-west-1.compute.internal:8440 is not reachable, sleeping for 10 seconds... 
INFO 2018-07-28 14:12:32,307 HeartbeatHandlers.py:115 - Stop event received

I've tried adding in /etc/python/cert-verification.cfg

[https]
verify=disable

I've tried adding in /etc/amabri-agent/conf/ambari-agent.in

[security]
force_https_protocol=PROTOCOL_TLSv1_2

I've restarted agents still the same error 😞 Any ideas? 🙂

avatar
Explorer

Hello

I've just add these two line below under security section and it works
[security]
ssl_verify_cert=0
force_https_protocol=PROTOCOL_TLSv1_2

avatar
New Contributor

Ok for future users 🙂

Check if certyficate is generated by ambari server from one of the nodes:

openssl s_client -connect server_address:8440

corect results (similar):

---Server certificate-----BEGIN CERTIFICATE-----

MIIFnDCCA4SgAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMQswCQYDVQQGEwJYWDEV
.................
.................

If you are not receiving corect handshake you need to verify ambari-server.ini (ambari server):

vi /etc/ambari-server/conf/ambari.properties

and # the line with TLS cyphers 🙂

,

Ok for future users 🙂

Check if certyficate is generated by ambari server from one of the nodes:

openssl s_client -connect server_address:8440

corect results (similar):

---Server certificate-----BEGIN CERTIFICATE-----

MIIFnDCCA4SgAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMQswCQYDVQQGEwJYWDEV
.................
.................

If you are not receiving corect handshake you need to verify ambari-server.ini (ambari server):

vi /etc/ambari-server/conf/ambari.properties

and # the line with TLS cyphers 🙂