My suggestion to set kerberos.operation.verify.kdc.trust to true is a bit of a hack, but it may give you an idea of what the cause is. If this works, then there is something up with the Ambari trust store... like the needed CA certs have not been imported, or maybe Ambari is not really using the one you think it is. Once we figure out a solution to the issue, we can flip the flag back to true (or remove that property) and you will have SSL certificate trust validation turned on again. Looking at the log entries, the issue points to a lack of information in the trust store : sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Did you try adding all CA and intermediary CA certs into the trust store?
... View more
