Created 07-29-2016 02:06 AM
Dear team
(I posted the same content in github https://github.com/sequenceiq/cloudbreak/issues/1825 )
I am trying to use cloudbreak to create Hadoop cluster with our Openstack environment.
but got some errors when create credentials.
Enviroment:
1. Openstack version: Juno
2. CentOS Linux release 7.2
I found the same problem in #948 , and tried the same approach,
1. copy .crt file into docker
2. use "keytool -import" to import it into /etc/ssl/certs/java/cacerts
3. restart container cbreak_cloudbreak_1
4. run "credential create" and got failed.
CLI:
<code>credential create --OPENSTACK --name ynwm --description "keystone.(masked)" --userName sso --password (masked) --tenantName query-engine-test --endPoint https://keystone.(masked):5000/v2.0/ --sshKeyString "ssh-rsa AAA.....(masked)..5Q== sso_created" --publicInAccount true
error:
<code>Command failed java.lang.RuntimeException: Failed to verify the credential: Could not verify credential [credential: 'ynwm'], detailed message: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I found another document
https://github.com/sequenceiq/cloudbreak-docs/blob/master/docs/openstack/deployer.md
In which it says,
If your OpenStack is secured with a self-signed certificate, you need to import that certificate into Cloudbreak, or else Cloudbreak won't be able to communicate with your OpenStack. To import the certificate, place the certificate file in the generated certs directory /certs/trusted/. The trusted directory does not exist by default, so you need to create it. Cloudbreak will automatically pick up these certificates and import them into its truststore upon start.
so I copied my .crt file into certs/trusted,
and restarted cbd,
<code>[sso@cloudbreak02 ~/tools/cloudbreak-deployment]$ sudo docker exec -it cbreak_cloudbreak_1 bash root@dd24262dd30c:/# ls -al /certs/trusted/ total 16 drwxr-xr-x 2 root root 4096 Jul 29 01:41 . drwxr-xr-x 3 root root 4096 Jul 29 01:39 .. -rw-r--r-- 1 root root 4753 Jul 27 08:17 sso.crt root@dd24262dd30c:/#
<code>sudo cbd start sudo cbd util cloudbreak-shell credential create --OPENSTACK ....(the same with the command above)
however still got the SSL error:
<code>/cbreak_cloudbreak_1 | Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target /cbreak_cloudbreak_1 | at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) /cbreak_cloudbreak_1 | at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) /cbreak_cloudbreak_1 | at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) /cbreak_cloudbreak_1 | at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) /cbreak_cloudbreak_1 | ... 82 common frames omitted
Thanks for any possible help
Created 07-29-2016 07:09 AM
Self response:
This problem is resolved.
Because I imported a wrong .crt file, which is not for our HTTPS server, the "credential create" command failed.
After putting the correct .crt file under "certs/trusted", I created a new
credential successfully.
Created 07-29-2016 03:04 AM
/cbreak_cloudbreak_1 | Importing certificates to the default Java certificate trust store. /cbreak_registrator_1 | 2016/07/29 01:44:42 registrator: added: dd24262dd30c af7ab373046f:cbreak_cloudbreak_1:8080 /cbreak_consul_1 | 2016/07/29 01:44:42 [INFO] agent: Synced service 'af7ab373046f:cbreak_cloudbreak_1:8080' /cbreak_cloudbreak_1 | Certificate was added to keystore /cbreak_cloudbreak_1 | Certificate added to default Java trust store with alias sso.crt. /cbreak_cloudbreak_1 | Starting the Cloudbreak application... /cbreak_cloudbreak_1 | + '[' true == false ']' /cbreak_cloudbreak_1 | + java -jar /cloudbreak.jar
I checked log file and found "Certificate added to default Java trust store with alias sso.crt",
so I think the .crt file is added correctly.
However I still get SSL error when access the HTTPS endpoint.
Created 07-29-2016 07:09 AM
Self response:
This problem is resolved.
Because I imported a wrong .crt file, which is not for our HTTPS server, the "credential create" command failed.
After putting the correct .crt file under "certs/trusted", I created a new
credential successfully.
Created 07-29-2016 09:13 AM
Glad that it worked out, let us know if you believe something is missing from the docs and can be improved.