[
https://issues.apache.org/jira/browse/AMBARI-26428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17940256#comment-17940256
]
Basapuram Kumar commented on AMBARI-26428:
------------------------------------------
PR - https://github.com/apache/ambari/pull/3974
> Ambari server fails to start to create SslContextFactory when KeyStore has
> multiple certificates
> ------------------------------------------------------------------------------------------------
>
> Key: AMBARI-26428
> URL: https://issues.apache.org/jira/browse/AMBARI-26428
> Project: Ambari
> Issue Type: Bug
> Reporter: Basapuram Kumar
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> +*Issue description*+
> During an upgrade of Ambari Server to version *2.7.9.0* on a *RHEL 8*
> environment with *Kerberos enabled* and {*}SSL configured with multiple SAN
> entries{*}, the Ambari server fails to start.
>
>
> {code:java}
> Ambari database consistency check started...
> Server PID at: /var/run/ambari-server/ambari-server.pid
> Server out at: /var/log/ambari-server/ambari-server.out
> Server log at: /var/log/ambari-server/ambari-server.log
> Waiting for server start.........................
> DB configs consistency check found warnings. See
> /var/log/ambari-server/ambari-server-check-database.log for more details.
> ERROR: Exiting with exit code -1.
> REASON: Ambari Server java process has stopped. Please check the logs for
> more information. {code}
>
>
> From the ambari-server.log, able to see the below errors.
>
> {code:java}
> 2025-03-26 10:17:01,022 ERROR [main] AmbariServer:1123 - Failed to run the
> Ambari Server
> java.lang.IllegalStateException: KeyStores with multiple certificates are not
> supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory.
> (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or
> org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1289)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1271)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:373)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:244)2025-03-26
> 10:17:01,076 ERROR [main] AmbariServer:901 - Error stopping the server
> MultiException[java.lang.NoClassDefFoundError: org/eclipse/jetty/util/Loader,
> java.lang.NoClassDefFoundError: org/eclipse/jetty/util/Loader]
> at
> org.eclipse.jetty.util.MultiException.ifExceptionThrow(MultiException.java:122)
> at org.eclipse.jetty.server.Server.doStop(Server.java:484)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.stop(AbstractLifeCycle.java:94)
> at
> org.apache.ambari.server.controller.AmbariServer.stop(AmbariServer.java:899)
> at
> org.apache.ambari.server.controller.AmbariServer.main(AmbariServer.java:1125)
> {code}
>
>
> When you have multiple SAN entries, the issue is reproducible.
> h3. *Reproducible Scenario:*
> * *OS:* RHEL 8
> * *Ambari Configuration:*
> *
> ** Kerberos enabled
> *
> ** SSL enabled with *multiple SAN entries*
> * The issue is caused by Jetty's {{{}SslContextFactory{}}}, which does not
> support multiple certificates in the default base class.
>
> When we have multiple SAN entries, the issue is reproducible.
>
> +*Fix references*+
> 1. Jetty's SslContextFactory has been split for Client/Server classes via
> [https://github.com/jetty/jetty.project/pull/3480].
> 2. Form Apache Hive
> https://issues.apache.org/jira/browse/HIVE-27952
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
