the problem appears to be that for some reason, the SSL cert generated and signed by the ambari server as it starts up is invalid until tomorrow ..
openssl x509 -noout -in /var/lib/ambari-server/keys/ca.crt dates notBefore=Jul 24 04:41:20 2013 GMT notAfter=Jul 24 04:41:20 2014 GMT which is really strange as the system date/time on my server seems to be set correctly.. Anyone seen anything like this before? (the version of openssl I've got on my RH6.4 x64 box is: openssl-1.0.0-27.el6.x86_64, ambari codebase v1.2.4) From: Aaron Cody <[email protected]> Reply-To: <[email protected]> Date: Tuesday, July 23, 2013 1:39 PM To: "[email protected]" <[email protected]> Subject: Re: problem with the registration step looks like the agent is failing to connect back to the master because of some SSL cert problem?? curl https://ac-dev-01.sensage.com:8441/agent/v1/register/ac-dev-03.sensage.com curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. any ideas how to rectify this? thanks From: Aaron Cody <[email protected]> Reply-To: <[email protected]> Date: Tuesday, July 23, 2013 1:28 PM To: "[email protected]" <[email protected]> Subject: Re: problem with the registration step attached - thanks From: Siddharth Wagle <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Tuesday, July 23, 2013 1:00 PM To: "[email protected]" <[email protected]> Subject: Re: problem with the registration step Hi Aaron, Could you correlate this message with the server logs and provide them? If you stop and start the agent you should be able to capture the error if any on the server side. To turn on debugging on the agent, edit /etc/ambari-agent/conf/ambari-agent.ini also turning on debugging on the server site might help. (/etc/ambari-server/conf/log4j.properties) -Sid On Tue, Jul 23, 2013 at 12:27 PM, Aaron Cody <[email protected]> wrote: > Any ideas what might be causing this? > > * I am using FQDNs and I can passwordless-SSH from master to all slave > machines > * RedHat 6.4 > Registration fails: > > self.httpsconn.connect()\n File > \"/usr/lib/python2.6/site-packages/ambari_agent/security.py\", line 63, in > connect\n ca_certs=server_crt)\n File \"/usr/lib64/python2.6/ssl.py\", line > 338, in wrap_socket\n suppress_ragged_eofs=suppress_ragged_eofs)\n File > \"/usr/lib64/python2.6/ssl.py\", line 118, in __init__\n cert_reqs, > ssl_version, ca_certs)\nSSLError: [Errno 336445442] _ssl.c:353: > error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib\n', > None)\n\nSTDERR\nConnection to ac-dev-04.sensage.com > <http://ac-dev-04.sensage.com> closed.\nRegistering with the > server...\nRegistration with the server failed."}]
smime.p7s
Description: S/MIME cryptographic signature
