Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

ssl enabled for oozie and getting following error: java.security.cert.CertificateException

Highlighted

ssl enabled for oozie and getting following error: java.security.cert.CertificateException

Guru

Team,

I have enabled ssl/https for oozie with the help of following link. It is working fine as I am able to open oozie web ui on 11443 port and over https.

https://community.hortonworks.com/articles/85270/steps-to-enable-ssl-for-oozie-ui.html

https://m2.hdp22:11443/oozie.

But I am getting following alert error in ambari for oozie service.

Execution of 'source /usr/hdp/current/oozie-server/conf/oozie-env.sh ; oozie admin -oozie https://m2.hdp22:11443/oozie -status' returned 255. Error: IO_ERROR : java.io.IOException: Error while connecting Oozie server. No of retries = 1. Exception = java.security.cert.CertificateException: No name matching m2.hdp22 found

So any idea how to resolve it.

Note: I have kerberozied cluster.

10 REPLIES 10
Highlighted

Re: ssl enabled for oozie and getting following error: java.security.cert.CertificateException

Super Mentor

@Saurabh

The SSL implementation says. (RFC 2818 states: (Section 3.1, para 4) https://tools.ietf.org/html/rfc2818#section-3.1

"If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead."

So please check if you are creating the keys with proper name.

.

In simple words you should recreate your certificates with the exact FQDN base on what you see in the followign commands output.

# hostname -f

.

Highlighted

Re: ssl enabled for oozie and getting following error: java.security.cert.CertificateException

Guru

@Jay SenSharma : I tried changing the name of key-file but still getting the same alert.

[oozie@m2 ~]$ source /usr/hdp/current/oozie-server/conf/oozie-env.sh

[oozie@m2 ~]$ oozie admin -oozie https://m2.hdp22:11443/oozie -status

Error: IO_ERROR : java.io.IOException: Error while connecting Oozie server. No of retries = 1. Exception = java.security.cert.CertificateException: No name matching m2.hdp22 found

[oozie@m2 ~]$ hostname -f

m2.hdp22

[oozie@m2 ~]$ ls -ltr

total 8

-rw-r--r-- 1 oozie hadoop 2245 Mar 31 05:15 keystore.jks

-rw-r--r-- 1 oozie hadoop 2245 Apr 5 05:08 m2.hdp22.jks

Highlighted

Re: ssl enabled for oozie and getting following error: java.security.cert.CertificateException

Super Mentor

@Saurabh

Sorry that i was not very clear. You said "I tried changing the name of key-file but still getting the same alert."

This is because i never asked you to change the key file name. In my last comment i said "you should recreate your certificates with the exact FQDN base", which means you need to regenerate the keystore and while creating the keystore it will ask for "CN" (common Name) there you should be using the "hostname -f" command output as CN.

Example:

keytool -genkey -v -alias testalias -keyalg RSA -keysize 1024 -keystore /etc/certs/serverKeystore.jks -validity 365 -keypass keypass1 -storepass keypass1 -dname "CN=yourFQDN, OU=someOU, O=Hwx, L=Bangalore, S=KA, C=IN"

.

Notice the CN here, it should be correct.

Highlighted

Re: ssl enabled for oozie and getting following error: java.security.cert.CertificateException

Guru

sorry for misunderstanding, I recreated only and used, it was by mistake typed changed.

[oozie@m2 ~]$ keytool -genkey -keyalg RSA -alias ooziehost -keystore m2.hdp22.jks -validity 360 -keysize 2048

Enter keystore password:

Re-enter new password:

What is your first and last name?

[Unknown]:

What is the name of your organizational unit?

[Unknown]:

What is the name of your organization?

[Unknown]:

What is the name of your City or Locality?

[Unknown]:

What is the name of your State or Province?

[Unknown]:

What is the two-letter country code for this unit?

[Unknown]:

Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?

[no]: yes

Enter key password for <ooziehost>

(RETURN if same as keystore password):

Re-enter new password:

Highlighted

Re: ssl enabled for oozie and getting following error: java.security.cert.CertificateException

Super Mentor

@Saurabh

This is not correct:

CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct

.

In CN you should enter valiid hostname (FQDN) that is resolvable. Please try entering some meaningful values for these attributes od "dname" and then try. Specially the CN part.

.

Re-posting the SSL implementation says. (RFC 2818 states: (Section 3.1, para 4) https://tools.ietf.org/html/rfc2818#section-3.1

"If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead."

Highlighted

Re: ssl enabled for oozie and getting following error: java.security.cert.CertificateException

Guru

@Jay SenSharma

Still the same :

[oozie@m2 ~]$ keytool -genkey -keyalg RSA -alias ooziehost -keystore m2.hdp22.jks -validity 360 -keysize 2048

Enter keystore password:

Re-enter new password:

What is your first and last name?

[m2.hdp22]:

What is the name of your organizational unit?

[test]: TEST

What is the name of your organization?

[self]: SELF

What is the name of your City or Locality?

[blr]: BLR

What is the name of your State or Province?

[ka]: KA

What is the two-letter country code for this unit?

[IN]:

Is CN=m2.hdp22, OU=TEST, O=SELF, L=BLR, ST=KA, C=IN correct?

[no]: yes

Enter key password for <ooziehost>

(RETURN if same as keystore password):

Re-enter new password:

[oozie@m2 ~]$

[oozie@m2 ~]$

[oozie@m2 ~]$

[oozie@m2 ~]$ ls -ltrh

total 8.0K

-rw-r--r-- 1 oozie hadoop 2.2K Mar 31 05:15 keystore.jks

-rw-r--r-- 1 oozie hadoop 2.2K Apr 6 02:22 m2.hdp22.jks

[oozie@m2 ~]$ source /usr/hdp/current/oozie-server/conf/oozie-env.sh

[oozie@m2 ~]$ oozie admin -oozie https://m2.hdp22:11000/oozie -status

Error: IO_ERROR : java.io.IOException: Error while connecting Oozie server. No of retries = 1. Exception = Unrecognized SSL message, plaintext connection?

Highlighted

Re: ssl enabled for oozie and getting following error: java.security.cert.CertificateException

Re: ssl enabled for oozie and getting following error: java.security.cert.CertificateException

Guru

I tried the above steps but still getting the same alert in ambari.

I have following points, can you please help me to understand them.

  1. Can we have different self signed certificate for each of hadoop web UI(ambari,oozie,NN,RM etc) ?
  2. If yes then do we need to setup truststore for every certificate, if yes then how can we achieve that ?

I followed following article for ambari https and for oozie. And both have different way to create certificate and keys.

http://www.hadoopadmin.co.in/enable-https-for-ambari-server/

https://community.hortonworks.com/articles/85270/steps-to-enable-ssl-for-oozie-ui.html

Highlighted

Re: ssl enabled for oozie and getting following error: java.security.cert.CertificateException

Super Collaborator

@Saurabh

Create the keystore using below command CN should match the FQDN of oozie host.

Replace JksFilePath with complete .jks file location you want to create, -storepass password must be same as keypass password.

#keytool -genkey -alias oozie-server -keyalg RSA -keysize 1024 -keystore <JksFilePath> -validity 365 -keypass <Password> -storepass<Password> -dname "CN=m2.hdp22, OU=Test, O=Test, L=Bangalore, S=KA, C=IN"

Note that CN is now set to m2.hdp22 which must be the oozie service hostname.

Set the variables in oozie-env

export OOZIE_HTTPS_KEYSTORE_FILE=<JksFilePath>

export OOZIE_HTTPS_KEYSTORE_PASS=<Password>

Don't have an account?
Coming from Hortonworks? Activate your account here