Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

error while generating ca.crt file when starting ambari-server

Highlighted

error while generating ca.crt file when starting ambari-server

I've added a new stack in amabari-server and built it. now after installing the ambari-server rpm on single host, when i start ambari-server, its giving following error:

-----------Failure case-------------
openssl ca -create_serial -out /var/lib/ambari-server/keys/ca.crt -days 365 -keyfile /var/lib/ambari-server/keys/ca.key -key **** -selfsign -extensions jdk7_ca -config /var/lib/ambari-server/keys/ca.config -batch -infiles /var/lib/ambari-server/keys/ca.csr
was finished with exit code: 1 - an error occurred parsing the command options.

----------- logs are mentioned below-------------

20 Jun 2016 16:25:53,020  INFO [main] Configuration:1067 - Web App DIR test /usr/lib/ambari-server/web
20 Jun 2016 16:25:53,027  INFO [main] CertificateManager:68 - Initialization of root certificate
20 Jun 2016 16:25:53,027  INFO [main] CertificateManager:70 - Certificate exists:false
20 Jun 2016 16:25:53,027  INFO [main] CertificateManager:137 - Generation of server certificate

20 Jun 2016 16:25:55,627  INFO [main] ShellCommandUtil:44 - Command 
openssl genrsa -des3 -passout pass:**** -out /var/lib/ambari-server/keys/ca.key 4096
  was finished with exit code: 0 - the operation was completely successfully.

20 Jun 2016 16:25:55,644  INFO [main] ShellCommandUtil:44 - Command 
openssl req -passin pass:**** -new -key /var/lib/ambari-server/keys/ca.key -out /var/lib/ambari-server/keys/ca.csr -batch
 was finished with exit code: 0 - the operation was completely successfully.


20 Jun 2016 16:25:55,654  WARN [main] ShellCommandUtil:46 - Command
openssl ca -create_serial -out /var/lib/ambari-server/keys/ca.crt -days 365 -keyfile /var/lib/ambari-server/keys/ca.key -key **** -selfsign -extensions jdk7_ca -config /var/lib/ambari-server/keys/ca.config -batch -infiles /var/lib/ambari-server/keys/ca.csr
was finished with exit code: 1 - an error occurred parsing the command options.


20 Jun 2016 16:25:55,663  WARN [main] ShellCommandUtil:46 - Command 
openssl pkcs12 -export -in /var/lib/ambari-server/keys/ca.crt -inkey /var/lib/ambari-server/keys/ca.key -certfile /var/lib/ambari-server/keys/ca.crt
 -out /var/lib/ambari-server/keys/keystore.p12 -password pass:**** -passin pass:****
 was finished with exit code: 1 - an error occurred parsing the command options.

Can anyone help with this? I'm using CentOS7 on host for ambari-installation.

4 REPLIES 4
Highlighted

Re: error while generating ca.crt file when starting ambari-server

@Kuldeep Mishra

Is SSL enabled in the Ambari Server? If not, it's alright to have these errors. Is the Ambari server up and running?

Re: error while generating ca.crt file when starting ambari-server

@vpoornalingam

Could you please let me know how to verify if SSL is enabled in the Ambari Server?

Due to this problem ca.crt file is not being generated, due to which keystore.p12 is not created.

Following this ambari server failed to start.

I'm getting below error message in /var/log/ambari-server/ambari-server.log

ERROR [main] AmbariServer:820 - Failed to run the Ambari Server
MultiException[java.io.FileNotFoundException: /var/lib/ambari-server/keys/keystore.p12 (No such file or directory), java.io.FileNotFoundException: /var/lib/ambari-server/keys/keystore.p12 (No such file or directory)]
Highlighted

Re: error while generating ca.crt file when starting ambari-server

@Kuldeep Mishra

As those are simple WARN messages (not ERRORs) but just in case you want to use the SSL. Please check the open_ssl version that you have in your machine.

Please run the following command to verify the same:

rpm -qa | grep openssl*

Also you can validate whether your "openssl" has the option "-create_serial" available or not by running the following command (just pass any string after "openssl ca") to see the valid options like following.

# openssl ca -ANYTHING12345
unknown option -ANYTHING12345
usage: ca args
 -verbose        - Talk alot while doing things
 -config file    - A config file
 -name arg       - The particular CA definition to use
 -gencrl         - Generate a new CRL
 -crldays days   - Days is when the next CRL is due
 -crlhours hours - Hours is when the next CRL is due
 -startdate YYMMDDHHMMSSZ  - certificate validity notBefore
 -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)
 -days arg       - number of days to certify the certificate for
 -md arg         - md to use, see openssl dgst -h for list
 -policy arg     - The CA 'policy' to support
 -keyfile arg    - private key file
 -keyform arg    - private key file format (PEM or ENGINE)
 -key arg        - key to decode the private key if it is encrypted
 -cert file      - The CA certificate
 -selfsign       - sign a certificate with the key associated with it
 -in file        - The input PEM encoded certificate request(s)
 -out file       - Where to put the output file(s)
 -outdir dir     - Where to put output certificates
 -infiles ....   - The last argument, requests to process
 -spkac file     - File contains DN and signed public key and challenge
 -ss_cert file   - File contains a self signed cert to sign
 -preserveDN     - Don't re-order the DN
 -noemailDN      - Don't add the EMAIL field into certificate' subject
 -batch          - Don't ask questions
 -msie_hack      - msie modifications to handle all those universal strings
 -revoke file    - Revoke a certificate (given in file)
 -subj arg       - Use arg instead of request's subject
 -utf8           - input characters are UTF8 (default ASCII)
 -multivalue-rdn - enable support for multivalued RDNs
 -extensions ..  - Extension section (override value in config file)
 -extfile file   - Configuration file with X509v3 extentions to add
 -crlexts ..     - CRL extension section (override value in config file)
 -engine e       - use engine e, possibly a hardware device.
 -status serial  - Shows certificate status given the serial number
 -updatedb       - Updates db for expired certificates
Highlighted

Re: error while generating ca.crt file when starting ambari-server

@Joy

Following rpms are installed on my machine:

# rpm -qa|grep openssl
openssl-1.0.1e-51.el7_2.5.x86_64
openssl098e-0.9.8e-29.el7.centos.2.x86_64
openssl-libs-1.0.1e-51.el7_2.5.x86_64
openssl-devel-1.0.1e-51.el7_2.5.x86_64

Also you can validate whether your "openssl" has the option "-create_serial" available or not by running the following command (just pass any string after "openssl ca") to see the valid options like following.Ffollowing is the output on my machine:

# openssl ca kuldeep
unknown option kuldeep
usage: ca args

 -verbose        - Talk alot while doing things
 -config file    - A config file
 -name arg       - The particular CA definition to use
 -gencrl         - Generate a new CRL
 -crldays days   - Days is when the next CRL is due
 -crlhours hours - Hours is when the next CRL is due
 -startdate YYMMDDHHMMSSZ  - certificate validity notBefore
 -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)
 -days arg       - number of days to certify the certificate for
 -md arg         - md to use, see openssl dgst -h for list
 -policy arg     - The CA 'policy' to support
 -keyfile arg    - private key file
 -keyform arg    - private key file format (PEM or ENGINE)
 -key arg        - key to decode the private key if it is encrypted
 -cert file      - The CA certificate
 -selfsign       - sign a certificate with the key associated with it
 -in file        - The input PEM encoded certificate request(s)
 -out file       - Where to put the output file(s)
 -outdir dir     - Where to put output certificates
 -infiles ....   - The last argument, requests to process
 -spkac file     - File contains DN and signed public key and challenge
 -ss_cert file   - File contains a self signed cert to sign
 -preserveDN     - Don't re-order the DN
 -noemailDN      - Don't add the EMAIL field into certificate' subject
 -batch          - Don't ask questions
 -msie_hack      - msie modifications to handle all those universal strings
 -revoke file    - Revoke a certificate (given in file)
 -subj arg       - Use arg instead of request's subject
 -utf8           - input characters are UTF8 (default ASCII)
 -multivalue-rdn - enable support for multivalued RDNs
 -extensions ..  - Extension section (override value in config file)
 -extfile file   - Configuration file with X509v3 extentions to add
 -crlexts ..     - CRL extension section (override value in config file)
 -engine e       - use engine e, possibly a hardware device.
 -status serial  - Shows certificate status given the serial number
 -updatedb       - Updates db for expired certificates


It is not showing -create_serial in the usage options.

However when I run my command with "-create_serial" option its not mentioned it as an unkown option:

# openssl ca -create_serial kuldeep
unknown option kuldeep
usage: ca args

 -verbose        - Talk alot while doing things
 -config file    - A config file
 -name arg       - The particular CA definition to use
 -gencrl         - Generate a new CRL
 -crldays days   - Days is when the next CRL is due
 -crlhours hours - Hours is when the next CRL is due
 -startdate YYMMDDHHMMSSZ  - certificate validity notBefore
 -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)
 -days arg       - number of days to certify the certificate for
 -md arg         - md to use, see openssl dgst -h for list
 -policy arg     - The CA 'policy' to support
 -keyfile arg    - private key file
 -keyform arg    - private key file format (PEM or ENGINE)
 -key arg        - key to decode the private key if it is encrypted
 -cert file      - The CA certificate
 -selfsign       - sign a certificate with the key associated with it
 -in file        - The input PEM encoded certificate request(s)
 -out file       - Where to put the output file(s)
 -outdir dir     - Where to put output certificates
 -infiles ....   - The last argument, requests to process
 -spkac file     - File contains DN and signed public key and challenge
 -ss_cert file   - File contains a self signed cert to sign
 -preserveDN     - Don't re-order the DN
 -noemailDN      - Don't add the EMAIL field into certificate' subject
 -batch          - Don't ask questions
 -msie_hack      - msie modifications to handle all those universal strings
 -revoke file    - Revoke a certificate (given in file)
 -subj arg       - Use arg instead of request's subject
 -utf8           - input characters are UTF8 (default ASCII)
 -multivalue-rdn - enable support for multivalued RDNs
 -extensions ..  - Extension section (override value in config file)
 -extfile file   - Configuration file with X509v3 extentions to add
 -crlexts ..     - CRL extension section (override value in config file)
 -engine e       - use engine e, possibly a hardware device.
 -status serial  - Shows certificate status given the serial number
 -updatedb       - Updates db for expired certificates
Don't have an account?
Coming from Hortonworks? Activate your account here