Created on 03-31-2017 09:50 AM - edited 09-16-2022 04:23 AM
Team,
I have enabled ssl/https for oozie with the help of following link. It is working fine as I am able to open oozie web ui on 11443 port and over https.
https://community.hortonworks.com/articles/85270/steps-to-enable-ssl-for-oozie-ui.html
But I am getting following alert error in ambari for oozie service.
Execution of 'source /usr/hdp/current/oozie-server/conf/oozie-env.sh ; oozie admin -oozie https://m2.hdp22:11443/oozie -status' returned 255. Error: IO_ERROR : java.io.IOException: Error while connecting Oozie server. No of retries = 1. Exception = java.security.cert.CertificateException: No name matching m2.hdp22 found
So any idea how to resolve it.
Note: I have kerberozied cluster.
Created 03-31-2017 09:58 AM
The SSL implementation says. (RFC 2818 states: (Section 3.1, para 4) https://tools.ietf.org/html/rfc2818#section-3.1
"If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead."
So please check if you are creating the keys with proper name.
.
In simple words you should recreate your certificates with the exact FQDN base on what you see in the followign commands output.
# hostname -f
.
Created 04-05-2017 09:18 AM
@Jay SenSharma : I tried changing the name of key-file but still getting the same alert.
[oozie@m2 ~]$ source /usr/hdp/current/oozie-server/conf/oozie-env.sh
[oozie@m2 ~]$ oozie admin -oozie https://m2.hdp22:11443/oozie -status
Error: IO_ERROR : java.io.IOException: Error while connecting Oozie server. No of retries = 1. Exception = java.security.cert.CertificateException: No name matching m2.hdp22 found
[oozie@m2 ~]$ hostname -f
m2.hdp22
[oozie@m2 ~]$ ls -ltr
total 8
-rw-r--r-- 1 oozie hadoop 2245 Mar 31 05:15 keystore.jks
-rw-r--r-- 1 oozie hadoop 2245 Apr 5 05:08 m2.hdp22.jks
Created 04-05-2017 09:54 AM
Sorry that i was not very clear. You said "I tried changing the name of key-file but still getting the same alert."
This is because i never asked you to change the key file name. In my last comment i said "you should recreate your certificates with the exact FQDN base", which means you need to regenerate the keystore and while creating the keystore it will ask for "CN" (common Name) there you should be using the "hostname -f" command output as CN.
Example:
keytool -genkey -v -alias testalias -keyalg RSA -keysize 1024 -keystore /etc/certs/serverKeystore.jks -validity 365 -keypass keypass1 -storepass keypass1 -dname "CN=yourFQDN, OU=someOU, O=Hwx, L=Bangalore, S=KA, C=IN"
.
Notice the CN here, it should be correct.
Created 04-05-2017 12:15 PM
sorry for misunderstanding, I recreated only and used, it was by mistake typed changed.
[oozie@m2 ~]$ keytool -genkey -keyalg RSA -alias ooziehost -keystore m2.hdp22.jks -validity 360 -keysize 2048
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
Enter key password for <ooziehost>
(RETURN if same as keystore password):
Re-enter new password:
Created 04-05-2017 12:22 PM
This is not correct:
CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct
.
In CN you should enter valiid hostname (FQDN) that is resolvable. Please try entering some meaningful values for these attributes od "dname" and then try. Specially the CN part.
.
Re-posting the SSL implementation says. (RFC 2818 states: (Section 3.1, para 4) https://tools.ietf.org/html/rfc2818#section-3.1
"If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead."
Created 04-06-2017 06:34 AM
Still the same :
[oozie@m2 ~]$ keytool -genkey -keyalg RSA -alias ooziehost -keystore m2.hdp22.jks -validity 360 -keysize 2048
Enter keystore password:
Re-enter new password:
What is your first and last name?
[m2.hdp22]:
What is the name of your organizational unit?
[test]: TEST
What is the name of your organization?
[self]: SELF
What is the name of your City or Locality?
[blr]: BLR
What is the name of your State or Province?
[ka]: KA
What is the two-letter country code for this unit?
[IN]:
Is CN=m2.hdp22, OU=TEST, O=SELF, L=BLR, ST=KA, C=IN correct?
[no]: yes
Enter key password for <ooziehost>
(RETURN if same as keystore password):
Re-enter new password:
[oozie@m2 ~]$
[oozie@m2 ~]$
[oozie@m2 ~]$
[oozie@m2 ~]$ ls -ltrh
total 8.0K
-rw-r--r-- 1 oozie hadoop 2.2K Mar 31 05:15 keystore.jks
-rw-r--r-- 1 oozie hadoop 2.2K Apr 6 02:22 m2.hdp22.jks
[oozie@m2 ~]$ source /usr/hdp/current/oozie-server/conf/oozie-env.sh
[oozie@m2 ~]$ oozie admin -oozie https://m2.hdp22:11000/oozie -status
Error: IO_ERROR : java.io.IOException: Error while connecting Oozie server. No of retries = 1. Exception = Unrecognized SSL message, plaintext connection?
Created 03-31-2017 10:00 AM
Have you added oozie's cert in ambari truststore?
Created 04-05-2017 08:57 AM
I tried the above steps but still getting the same alert in ambari.
I have following points, can you please help me to understand them.
I followed following article for ambari https and for oozie. And both have different way to create certificate and keys.
http://www.hadoopadmin.co.in/enable-https-for-ambari-server/
https://community.hortonworks.com/articles/85270/steps-to-enable-ssl-for-oozie-ui.html
Created 04-05-2017 01:04 PM
Create the keystore using below command CN should match the FQDN of oozie host.
Replace JksFilePath with complete .jks file location you want to create, -storepass password must be same as keypass password.
#keytool -genkey -alias oozie-server -keyalg RSA -keysize 1024 -keystore <JksFilePath> -validity 365 -keypass <Password> -storepass<Password> -dname "CN=m2.hdp22, OU=Test, O=Test, L=Bangalore, S=KA, C=IN"
Note that CN is now set to m2.hdp22 which must be the oozie service hostname.
Set the variables in oozie-env
export OOZIE_HTTPS_KEYSTORE_FILE=<JksFilePath>
export OOZIE_HTTPS_KEYSTORE_PASS=<Password>
Created 04-06-2017 06:53 AM
I do not think that the error that you are reporting now as following is same as previously reported error:
Current ErrorError: IO_ERROR : java.io.IOException: Error while connecting Oozie server. No of retries = 1. Exception = Unrecognized SSL message, plaintext connection?
.
Originally reported Error (Which was due to incorrect Name used for CN)
Error: IO_ERROR : java.io.IOException: Error while connecting Oozie server. No of retries = 1. Exception = java.security.cert.CertificateException: No name matching m2.hdp22 found
.
Are you connecting to the tight HTTPS port ? Please check your "OOZIE_HTTPS_PORT" in oozie-env.