We discovered a bug last night when our centos mirror updated openjdk and caused cluster builds to start failing. This is in Ambari 2.1.1 but I didn't see anything in github to indicate that this code has since changed. We tracked it down to the removal of the md5 algorithm from the list of supported algorithms in openjdk:
https://rhn.redhat.com/errata/RHSA-2016-0049.html The ambari-server log (in DEBUG mode): sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1896) ... 13 more Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219) at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:347) I looked at the agent code to see how it generates the cert, and it doesn't appear to be using md5: https://github.com/apache/ambari/blob/trunk/ambari-agent/src/main/python/ambari_agent/security.py#L35 The openssl default *is* md5 but CentOS resets the default to sha256 in /etc/pki/tls/openssl.cnf: [ req ] default_bits = 2048 default_md = sha256 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert I'm not sure where to look next. I think this is an Ambari bug, but I'm not exactly sure how to fix it or if we can fix it via configuration somehow. Anyone know this stuff well and care to chime in? Or pull someone else in who does? Greg
