More info from the server log:
21:20:41,833 INFO [main] Configuration:411 - Reading password from
existing file
21:20:41,866 INFO [main] Configuration:422 - API SSL Authentication is
turned on.
21:20:41,866 ERROR [main] Configuration:437 - There is no keystore for
https UI connection.
21:20:41,866 ERROR [main] Configuration:438 - Run "ambari-server
setup-https" or set api.ssl = false.
21:20:41,877 ERROR [main] ViewRegistry:249 - Caught exception extracting
view archive /var/lib/ambari-server/resources/views/slider-0
.0.1-SNAPSHOT.jar.
com.google.inject.ProvisionException: Guice provision errors:
1) Error injecting constructor, java.lang.RuntimeException: Error reading
certificate password from file /var/lib/ambari-server/keys/
https.pass.txt
at
org.apache.ambari.server.configuration.Configuration.<init>(Configuration.j
ava:330)
at
org.apache.ambari.server.configuration.Configuration.class(Configuration.ja
va:321)
while locating org.apache.ambari.server.configuration.Configuration
1 error
at
com.google.inject.internal.InjectorImpl$4.get(InjectorImpl.java:987)
at
com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1013)
at
org.apache.ambari.server.view.ViewRegistry.main(ViewRegistry.java:240)
Caused by: java.lang.RuntimeException: Error reading certificate password
from file /var/lib/ambari-server/keys/https.pass.txt
at
org.apache.ambari.server.configuration.Configuration.<init>(Configuration.j
ava:439)
at
org.apache.ambari.server.configuration.Configuration.<init>(Configuration.j
ava:330)
at
org.apache.ambari.server.configuration.Configuration$$FastClassByGuice$$3b5
88b69.newInstance(<generated>)
at
com.google.inject.internal.cglib.reflect.$FastConstructor.newInstance(FastC
onstructor.java:40)
at
com.google.inject.internal.DefaultConstructionProxyFactory$1.newInstance(De
faultConstructionProxyFactory.java:60)
at
com.google.inject.internal.ConstructorInjector.construct(ConstructorInjecto
r.java:85)
at
com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBi
ndingImpl.java:254)
at
com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(Provider
ToInternalFactoryAdapter.java:46)
at
com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:103
1)
at
com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToI
nternalFactoryAdapter.java:40)
at com.google.inject.Scopes$1$1.get(Scopes.java:65)
at
com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFac
toryToProviderAdapter.java:40)
at
com.google.inject.internal.InjectorImpl$4$1.call(InjectorImpl.java:978)
at
com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:102
4)
at
com.google.inject.internal.InjectorImpl$4.get(InjectorImpl.java:974)
... 2 more
21:20:44,055 INFO [main] Configuration:411 - Reading password from
existing file
21:20:44,107 INFO [main] Configuration:422 - API SSL Authentication is
turned on.
21:20:44,107 ERROR [main] Configuration:437 - There is no keystore for
https UI connection.
21:20:44,107 ERROR [main] Configuration:438 - Run "ambari-server
setup-https" or set api.ssl = false.
ambari-server setup-https is not a valid command. Also, it appears to
eventually recover, as seen below:
21:20:54,895 INFO [main] Configuration:411 - Reading password from
existing file
21:20:54,915 INFO [main] Configuration:422 - API SSL Authentication is
turned on.
21:20:54,915 ERROR [main] Configuration:437 - There is no keystore for
https UI connection.
21:20:54,915 ERROR [main] Configuration:438 - Run "ambari-server
setup-https" or set api.ssl = false.
21:21:23,930 INFO [main] Configuration:411 - Reading password from
existing file
21:21:23,950 INFO [main] Configuration:422 - API SSL Authentication is
turned on.
21:21:23,950 INFO [main] Configuration:427 - Reading password from
existing file
...
21:21:35,586 INFO [main] CertificateManager:69 - Initialization of root
certificate
21:21:35,587 INFO [main] CertificateManager:71 - Certificate exists:false
21:21:35,588 INFO [main] CertificateManager:138 - Generation of server
certificate
21:21:36,628 INFO [main] ShellCommandUtil:44 - Command openssl genrsa
-des3 -passout pass:**** -out /var/lib/ambari-server/keys/ca.k
ey 4096 was finished with exit code: 0 - the operation was completely
successfully.
21:21:36,653 INFO [main] ShellCommandUtil:44 - Command openssl req
-passin pass:**** -new -key /var/lib/ambari-server/keys/ca.key -o
ut /var/lib/ambari-server/keys/ca.csr -batch was finished with exit code:
0 - the operation was completely successfully.
21:21:36,706 INFO [main] ShellCommandUtil:44 - Command openssl ca
-create_serial -out /var/lib/ambari-server/keys/ca.crt -days 365 -keyfile
/var/lib/ambari-server/keys/ca.key -key **** -selfsign -extensions jdk7_ca
-config /var/lib/ambari-server/keys/ca.config -batch -infiles
/var/lib/ambari-server/keys/ca.csr was finished with exit code: 0 - the
operation was completely successfully.
21:21:36,728 INFO [main] ShellCommandUtil:44 - Command openssl pkcs12
-export -in /var/lib/ambari-server/keys/ca.crt -inkey
/var/lib/ambari-server/keys/ca.key -certfile
/var/lib/ambari-server/keys/ca.crt -out
/var/lib/ambari-server/keys/keystore.p12 -password pass:**** -passin
pass:****
was finished with exit code: 0 - the operation was completely
successfully.
21:21:37,048 INFO [main] Configuration:487 - Credential provider creation
failed. Reason: Master key initialization failed.
So, it manages to create all the key/cert/ca stuff, but then fails.
Any pointers are appreciated, but I'll keep digging tomorrow.
Greg
On 1/7/15 3:01 PM, "Greg Hill" <greg.h...@rackspace.com> wrote:
>During agent registration. They all fail to register because the ssl cert
>validation fails and it can't connect to the ambari server.
>
>I should note that we *are not* using bootstrapping. We preinstall the
>agents manually. Nothing has changed since it was working other than
>updating to the latest CentOS and Ambari updates (still Ambari 1.7.0,
>though, we're not using trunk or anything).
>
>Greg
>
>On 1/7/15 2:54 PM, "Erin Boyd" <eb...@redhat.com> wrote:
>
>>When do you get this error? During registration or some other time?
>>
>>Erin
>>
>>----- Original Message -----
>>From: "Greg Hill" <greg.h...@rackspace.com>
>>To: "Erin Boyd" <eb...@redhat.com>, user@ambari.apache.org
>>Sent: Wednesday, January 7, 2015 1:52:03 PM
>>Subject: Re: ssl changes recently?
>>
>>[root@ambari ~]# rpm -qa | grep openssl
>>openssl-1.0.1e-30.el6_6.4.x86_64
>>
>>
>>We apparently have an even newer version. Perhaps they broke something
>>else more recently? We just spun up this image yesterday with the latest
>>CentOS 6.5 stuff.
>>
>>Greg
>>
>>On 1/7/15 2:48 PM, "Erin Boyd" <eb...@redhat.com> wrote:
>>
>>>Hey Greg,
>>>On RHEL 6.5 we got a similar error during agent registration.
>>>Here is the workaround:
>>>http://hortonworks.com/community/forums/topic/ambari-agent-registration-
>>>f
>>>a
>>>ilure-on-rhel-6-5-due-to-openssl-2/
>>>
>>>Hope that helps,
>>>Erin
>>>
>>>
>>>----- Original Message -----
>>>From: "Greg Hill" <greg.h...@rackspace.com>
>>>To: user@ambari.apache.org
>>>Sent: Wednesday, January 7, 2015 1:44:40 PM
>>>Subject: ssl changes recently?
>>>
>>>I sent this to the wrong list earlier.
>>>
>>>I recently updated our Ambari 1.7.0 image and am now getting SSL errors
>>>from the agents:
>>>
>>>INFO 2015-01-07 16:59:02,116 NetUtil.py:48 - Connecting to
>>>https://ambari.local:8440/ca
>>>ERROR 2015-01-07 16:59:02,645 NetUtil.py:66 - [SSL:
>>>CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
>>>ERROR 2015-01-07 16:59:02,646 NetUtil.py:67 - SSLError: Failed to
>>>connect. Please check openssl library versions.
>>>Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 for more
>>>details.
>>>WARNING 2015-01-07 16:59:02,651 NetUtil.py:92 - Server at
>>>https://ambari.local:8440<https://ambari.local:8440/> is not reachable,
>>>sleeping for 10 secondsÅ
>>>
>>>We're just using the default SSL certs that Ambari creates for agent
>>>communication. This worked up until we made this new image, which pull
>>>in upstream CentOS system updates.
>>>
>>>Is it possible that some change in upstream has broken this for Ambari?
>>>Is there a workaround?
>>>
>>>I have noticed that the "server_crt" (/var/lib/ambari-agent/keys/ca.crt)
>>>does not exist on the hosts. Is this something I'm supposed to inject?
>>>We weren't before, but it was working just fine without it.
>>>
>>>Greg
>>>
>>
>
