Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

wildcard cert ranger solr audit does not match certificate CN to wildcard

Labels:
avatar
author-rank anshuman
Expert Contributor

Created ‎01-31-2018 12:15 AM

Hi

So I am attempting to use my CA signed cert for ranger auditing. Although I don't have the complete setup running yet one of the issues I am facing is that ranger cannot initiate the solr collection because of the following error

Note that this is a CA issued wildcard cert for *.my-company.com and it works properly across certs and other products. Why is it that it is trying to use the ip address rather than the hostname which would probably then give the right result.

I have looked around in the exported blueprint and I don't any reference to the ip ; just the hostname which all end with *.my-company.com and thus they should be resolved.

Am using solr cloud so the ranger.audit.solr.urls = "" and the ranger.audit.solr.zookeepers="server1.my-company.com:2181,server2.my-company.com:2181,server3.my-company.com:2181/infra-solr"

No live SolrServers available to handle this request:[https://192.168.10.20:8886/solr]
org.apache.solr.client.solrj.SolrServerException: No live SolrServers available to handle this request:[https://192.168.10.20:8886/solr]
	at org.apache.solr.client.solrj.impl.LBHttpSolrClient.request(LBHttpSolrClient.java:352)
	at org.apache.solr.client.solrj.impl.CloudSolrClient.sendRequest(CloudSolrClient.java:1121)
	at org.apache.solr.client.solrj.impl.CloudSolrClient.requestWithRetryOnStaleState(CloudSolrClient.java:891)
	at org.apache.solr.client.solrj.impl.CloudSolrClient.request(CloudSolrClient.java:827)
	at org.apache.solr.client.solrj.SolrRequest.process(SolrRequest.java:149)
	at org.apache.solr.client.solrj.SolrRequest.process(SolrRequest.java:166)
	at org.apache.ambari.logsearch.solr.commands.AbstractSolrRetryCommand.createAndProcessRequest(AbstractSolrRetryCommand.java:43)
	at org.apache.ambari.logsearch.solr.commands.AbstractRetryCommand.retry(AbstractRetryCommand.java:45)
	at org.apache.ambari.logsearch.solr.commands.AbstractRetryCommand.run(AbstractRetryCommand.java:40)
	at org.apache.ambari.logsearch.solr.AmbariSolrCloudClient.listCollections(AmbariSolrCloudClient.java:102)
	at org.apache.ambari.logsearch.solr.AmbariSolrCloudClient.createCollection(AmbariSolrCloudClient.java:109)
	at org.apache.ambari.logsearch.solr.AmbariSolrCloudCLI.main(AmbariSolrCloudCLI.java:473)
Caused by: org.apache.solr.client.solrj.SolrServerException: IOException occured when talking to server at: https://192.168.10.20:8886/solr
	at org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:590)
	at org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:241)
	at org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:230)
	at org.apache.solr.client.solrj.impl.LBHttpSolrClient.doRequest(LBHttpSolrClient.java:372)
	at org.apache.solr.client.solrj.impl.LBHttpSolrClient.request(LBHttpSolrClient.java:325)
	... 11 more
Caused by: javax.net.ssl.SSLException: Certificate for <192.168.10.20> doesn't match common name of the certificate subject: *.my-company.com
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:172)
	at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:61)
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:140)
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:114)
	at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:569)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:544)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
	at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
	at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
	at org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:482)
	... 15 more
1,442 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank anshuman
Expert Contributor

Created ‎01-31-2018 06:39 PM

This problem is solved using the solution outlined https://community.hortonworks.com/content/supportkb/150187/unable-to-view-ranger-audit-when-ssl-is-e...

View solution in original post

1,272 Views
0 Kudos
1 REPLY 1

avatar
author-rank anshuman
Expert Contributor

Created ‎01-31-2018 06:39 PM

This problem is solved using the solution outlined https://community.hortonworks.com/content/supportkb/150187/unable-to-view-ranger-audit-when-ssl-is-e...

1,273 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements