Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

cloudbreak openstack SSL error , after put .crt file in certs/trusted

Labels:
avatar
author-rank sso
Contributor

Created ‎07-29-2016 02:06 AM

Dear team

(I posted the same content in github https://github.com/sequenceiq/cloudbreak/issues/1825 )

I am trying to use cloudbreak to create Hadoop cluster with our Openstack environment.

but got some errors when create credentials.

Enviroment:

1. Openstack version: Juno

2. CentOS Linux release 7.2

I found the same problem in #948 , and tried the same approach,

1. copy .crt file into docker

2. use "keytool -import" to import it into /etc/ssl/certs/java/cacerts

3. restart container cbreak_cloudbreak_1

4. run "credential create" and got failed.

CLI:

<code>credential create --OPENSTACK --name ynwm --description "keystone.(masked)" --userName sso --password (masked) --tenantName query-engine-test --endPoint https://keystone.(masked):5000/v2.0/ --sshKeyString "ssh-rsa AAA.....(masked)..5Q== sso_created" --publicInAccount true

error:

<code>Command failed java.lang.RuntimeException: Failed to verify the credential: Could not verify credential [credential: 'ynwm'], detailed message: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I found another document

https://github.com/sequenceiq/cloudbreak-docs/blob/master/docs/openstack/deployer.md

In which it says,

If your OpenStack is secured with a self-signed certificate, you need to import that certificate into Cloudbreak, or else Cloudbreak won't be able to communicate with your OpenStack. To import the certificate, place the certificate file in the generated certs directory /certs/trusted/. The trusted directory does not exist by default, so you need to create it. Cloudbreak will automatically pick up these certificates and import them into its truststore upon start.

so I copied my .crt file into certs/trusted,

and restarted cbd, 

<code>[sso@cloudbreak02 ~/tools/cloudbreak-deployment]$ sudo docker exec -it cbreak_cloudbreak_1 bash
root@dd24262dd30c:/# ls -al /certs/trusted/
total 16
drwxr-xr-x 2 root root 4096 Jul 29 01:41 .
drwxr-xr-x 3 root root 4096 Jul 29 01:39 ..
-rw-r--r-- 1 root root 4753 Jul 27 08:17 sso.crt
root@dd24262dd30c:/#

<code>sudo cbd start
sudo cbd util cloudbreak-shell
credential create --OPENSTACK ....(the same with the command above)

however still got the SSL error:

<code>/cbreak_cloudbreak_1 | Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
/cbreak_cloudbreak_1 |  at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
/cbreak_cloudbreak_1 |  at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
/cbreak_cloudbreak_1 |  at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
/cbreak_cloudbreak_1 |  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
/cbreak_cloudbreak_1 |  ... 82 common frames omitted

Thanks for any possible help

1,593 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank sso
Contributor

Created ‎07-29-2016 07:09 AM

Self response:

This problem is resolved.

Because I imported a wrong .crt file, which is not for our HTTPS server, the "credential create" command failed.

After putting the correct .crt file under "certs/trusted", I created a new

credential successfully.

View solution in original post

1,184 Views
0 Kudos
3 REPLIES 3

avatar
author-rank sso
Contributor

Created ‎07-29-2016 03:04 AM 

/cbreak_cloudbreak_1 | Importing certificates to the default Java certificate  trust store.
/cbreak_registrator_1 | 2016/07/29 01:44:42 registrator: added: dd24262dd30c af7ab373046f:cbreak_cloudbreak_1:8080
/cbreak_consul_1 |     2016/07/29 01:44:42 [INFO] agent: Synced service 'af7ab373046f:cbreak_cloudbreak_1:8080'
/cbreak_cloudbreak_1 | Certificate was added to keystore
/cbreak_cloudbreak_1 | Certificate added to default Java trust store with alias sso.crt.
/cbreak_cloudbreak_1 | Starting the Cloudbreak application...
/cbreak_cloudbreak_1 | + '[' true == false ']'
/cbreak_cloudbreak_1 | + java -jar /cloudbreak.jar

I checked log file and found "Certificate added to default Java trust store with alias sso.crt",

so I think the .crt file is added correctly.

However I still get SSL error when access the HTTPS endpoint.

1,184 Views
0 Kudos

avatar
author-rank sso
Contributor

Created ‎07-29-2016 07:09 AM

Self response:

This problem is resolved.

Because I imported a wrong .crt file, which is not for our HTTPS server, the "credential create" command failed.

After putting the correct .crt file under "certs/trusted", I created a new

credential successfully.

1,185 Views
0 Kudos

avatar
author-rank Krisz author-rank
Super Collaborator

Created ‎07-29-2016 09:13 AM

Glad that it worked out, let us know if you believe something is missing from the docs and can be improved.

1,184 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements