Basapuram Kumar created AMBARI-26428:
----------------------------------------
Summary: Ambari server fails to start to create SslContextFactory
when KeyStore has multiple certificates
Key: AMBARI-26428
URL: https://issues.apache.org/jira/browse/AMBARI-26428
Project: Ambari
Issue Type: Bug
Reporter: Basapuram Kumar
+*Issue description*+
During an upgrade of Ambari Server to version *2.7.9.0* on a *RHEL 8*
environment with *Kerberos enabled* and {*}SSL configured with multiple SAN
entries{*}, the Ambari server fails to start.
{code:java}
Ambari database consistency check started...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start.........................
DB configs consistency check found warnings. See
/var/log/ambari-server/ambari-server-check-database.log for more details.
ERROR: Exiting with exit code -1.
REASON: Ambari Server java process has stopped. Please check the logs for more
information. {code}
>From the ambari-server.log, able to see the below errors.
{code:java}
2025-03-26 10:17:01,022 ERROR [main] AmbariServer:1123 - Failed to run the
Ambari Server
java.lang.IllegalStateException: KeyStores with multiple certificates are not
supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use
org.eclipse.jetty.util.ssl.SslContextFactory$Server or
org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
at
org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1289)
at
org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1271)
at
org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:373)
at
org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:244)2025-03-26
10:17:01,076 ERROR [main] AmbariServer:901 - Error stopping the server
MultiException[java.lang.NoClassDefFoundError: org/eclipse/jetty/util/Loader,
java.lang.NoClassDefFoundError: org/eclipse/jetty/util/Loader]
at
org.eclipse.jetty.util.MultiException.ifExceptionThrow(MultiException.java:122)
at org.eclipse.jetty.server.Server.doStop(Server.java:484)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.stop(AbstractLifeCycle.java:94)
at
org.apache.ambari.server.controller.AmbariServer.stop(AmbariServer.java:899)
at
org.apache.ambari.server.controller.AmbariServer.main(AmbariServer.java:1125)
{code}
When you have multiple SAN entries, the issue is reproducible.
h3. *Reproducible Scenario:*
* *OS:* RHEL 8
* *Ambari Configuration:*
** Kerberos enabled
** SSL enabled with *multiple SAN entries*
* The issue is caused by Jetty's {{{}SslContextFactory{}}}, which does not
support multiple certificates in the default base class.
When we have multiple SAN entries, the issue is reproducible.
+*Fix references*+
1. Jetty's SslContextFactory has been split for Client/Server classes via
[https://github.com/jetty/jetty.project/pull/3480].
2. Form Apache HIVE-27952
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
