Support Questions

Johnny_Bach · ‎09-11-2018

i have renewed the tls certificates and applied on the cloudera manager server but the browser is still showing the older one by looking at the expiry date , tried clearing the browser cache , but still it shows older ones. appreciate for any help

Tomas79 · ‎09-11-2018

Yes of course.Restart the scm and agents.Then two things can happen:

- everything falls apart - your agents will not be able to communicate with the scm server

- all ok - check your certificate with openssl - if it is still old, you are configuing the certificate in the wrong path.

Check also your settings in /etc.

View solution in original post

Tomas79 · ‎09-11-2018

As far as I know there is no way to extend the TLS certificate validity, so if you created a new certificate, and placed into a truststore make sure the old one is removed.

Johnny_Bach · ‎09-11-2018

@Tomas79

i meant i have requested for an new certificate and applied it on the server

Tomas79 · ‎09-11-2018

You can try to get the server certificate via openssl command:
openssl s_client -connect <host>
and verify if the certificate is new or old.
If it is new, then your browser or PC has some issues.

Johnny_Bach · ‎09-11-2018

@Tomas79,

openssl s_client connect is reading the old certificate ,whereas i have replaced ceritificates with new one under the /opt/cloudera/security/x509 and /opt/cloudera/security/jks path

and i did not happen to notice any heartbeat issue , agents hearbeat are also working fine , i don't see any issues with that

Johnny_Bach · ‎09-11-2018

Does it require an restart of the cloudera manager service ?

Tomas79 · ‎09-11-2018

Yes of course.Restart the scm and agents.Then two things can happen:

- everything falls apart - your agents will not be able to communicate with the scm server

- all ok - check your certificate with openssl - if it is still old, you are configuing the certificate in the wrong path.

Check also your settings in /etc.

Johnny_Bach · ‎09-11-2018

@Tomas79

it should have fallen apart after 15 secs, thats interval at which agents sends heartbeat and i have encountered issues with TLS over the past and when somethig has gone wrong , service would immediately fail and throws error in the log.

this is quite weird though

Johnny_Bach · ‎09-11-2018

i could only see new certificate applied on hue UI, hence i'm pretty sure on the path too of other server

Tomas79 · ‎09-11-2018

But Hue does not have to be configured the same way as CM. Every component can have his truststore and keystore configured in a different path. Also for example Hue requires "cert" file in PEM format, other components requires JKS - truststores and keystores.

Cloudera Community

Support Questions

Renewed TLS Certificates - but browser still shows older one

Renew certificates on a CDP cluster that has auto ...

Hardening Apache ZooKeeper Security Part 2: TLS en...

Disable/remove auto TLS certificates and create se...

Auto TLS - invalid certificate

Using the TLS Toolkit to simplify security

cannot verify repository.cloudera.com's certificat...

Renew Kerberos ticket

How to specify TLS ciphers to be used by NiFi and...

Java/Python Updates and Ambari Agent TLS Settings

Certificate errors After enabling Auto-TLS on exis...