The certificate_unknown message is received as an alert from the caller initiating the TLS session. Generally, that means that the client making a connection to the server did not trust the certificate. To find out who is really not trusting the NameNode certificate, check anything that connects to the NameNode. Mostly, it is the DataNodes who need to hearbeat in I think. Check your DataNode logs to find out if you get exceptions regarding trust when they attempt to make a connection. For Resource Manager, check the NodeMangers' logs too. Once you have reviewed the logs, you will likely have a better idea of what is going on. You mentioned that "/var/lib/hadoop-hdfs/certs" is your truststore. If it is, it should contain the certificate for every host in your cluster. Also, make sure you have configured a path to it in the Service Configuration in HDFS: "Cluster-Wide Default TLS/SSL Client Truststore Location"
... View more
