Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

avax.net.ssl.SSLException: Received fatal alert: unknown_ca

avatar
Expert Contributor

I am seeing lots of these WARN in cloudera manager server logs. Any idea how to fix these ?

 

And i dont know why its says unknown CA. Becasue the cert is valid with a SAN alias

 

2018-10-05 05:20:39,242 WARN 94352479@scm-web-22:org.mortbay.log: javax.net.ssl.SSLException: Received fatal alert: unknown_ca

3 REPLIES 3

avatar
Master Guru

@desind,

 

That indicates there is a client communicating via TLS to CM but that client does not trust the signer of the Cloudera Manager certificate.

The fact that the thread is scm-web-22 indicates that this is a connection to Cloudera Manager on port 7183.

The trouble is that there is not a good way of identifying what IP the failed client requests are coming from.

 

I'd start by considering what talks to Cloudera Manager on port 7183.

The first that comes to mind are all the Management Service roles (Service Monitor, Host Montor, Navigator, etc.)

If you enable TLS in Cloudera Manager's web UI, you need to make sure you have added a valid truststore to the following:

 

Cloudera Management Service --> Configuration

TLS/SSL Client Truststore File Location

Cloudera Manager Server TLS/SSL Certificate Trust Store Password

 

After that you will need to restart the Management Service (if you don't already have one)

 

If you already have trust configured, find out if you have any clients making API calls to CM perhaps.

avatar
Expert Contributor

I know the client(zabbix) that is making an API call and the truststore is configured correctly. I can login with zabbixuser/password via cloudera mananger and it works fine. Ldap is configured with port 389.  

 

avatar
Master Guru

@desind,

 

If none of your clients is breaking and everything looks healthy in Cloudera Manager, then it may not be necessary to dig deeper at this time.  If you do want to, you could do a tcpdump on port 7183 on your CM host... let it run for a bit then read it in WireShark to try to track down which SSL handshakes are failing and what the client is.