FAQ
Hi,

I'm trying to get a cluster working with TLS enabled on EC2.

This is what I see in /var/log/cloudera-scm-agent/cloudera-scm-agent.log:

Traceback (most recent call last):
   File "/usr/lib/cmf/agent/src/cmf/agent.py", line 729, in send_heartbeat
     self.client_keypw_file)
   File "/usr/lib/cmf/agent/src/cmf/https.py", line 85, in __init__
     self.conn.connect()
   File
"/usr/lib/cmf/agent/build/env/lib/python2.7/site-packages/M2Crypto-0.21.1-py2.7-linux-x86_64.egg/M2Crypto/httpslib.py",
line 50, in connect
     self.sock.connect((self.host, self.port))
   File
"/usr/lib/cmf/agent/build/env/lib/python2.7/site-packages/M2Crypto-0.21.1-py2.7-linux-x86_64.egg/M2Crypto/SSL/Connection.py",
line 188, in connect
     if not check(self.get_peer_cert(), self.addr[0]):
   File
"/usr/lib/cmf/agent/build/env/lib/python2.7/site-packages/M2Crypto-0.21.1-py2.7-linux-x86_64.egg/M2Crypto/SSL/Checker.py",
line 123, in __call__
     fieldName='commonName')
WrongHost: Peer certificate commonName does not match host, expected
ip-<internal-ip>.ec2.internal, got <external-ip>.

Generating a certificate with an internal (= transient) IP does not make
any sense. The only solution I see is disabling the domain check.

It can be done by setting the M2Crypto's
SSL.Connection.clientPostConnectionCheck variable to None.

My questions:

1. how to set that variable without modifying the scm agent code?

2. if you managed to get your cluster working, how did you get around this
problem?

Thanks,

-Mike

Search Discussions

  • Mike Ivanov at Jun 8, 2013 at 5:31 am
    Answering my own question:

    I just have remembered that external domain names in EC2 resolve into local
    IPs, no matter what. Thus, setting
    server_host=<manager-ec2-external-domain-name> (in the [general] section
    of /etc/cloudera-scm-agent/config.ini (on all worker nodes)) solved the
    problem.

    On Saturday, June 8, 2013 12:52:28 AM UTC-4, Mike Ivanov wrote:

    Hi,

    I'm trying to get a cluster working with TLS enabled on EC2.

    This is what I see in /var/log/cloudera-scm-agent/cloudera-scm-agent.log:

    Traceback (most recent call last):
    File "/usr/lib/cmf/agent/src/cmf/agent.py", line 729, in send_heartbeat
    self.client_keypw_file)
    File "/usr/lib/cmf/agent/src/cmf/https.py", line 85, in __init__
    self.conn.connect()
    File
    "/usr/lib/cmf/agent/build/env/lib/python2.7/site-packages/M2Crypto-0.21.1-py2.7-linux-x86_64.egg/M2Crypto/httpslib.py",
    line 50, in connect
    self.sock.connect((self.host, self.port))
    File
    "/usr/lib/cmf/agent/build/env/lib/python2.7/site-packages/M2Crypto-0.21.1-py2.7-linux-x86_64.egg/M2Crypto/SSL/Connection.py",
    line 188, in connect
    if not check(self.get_peer_cert(), self.addr[0]):
    File
    "/usr/lib/cmf/agent/build/env/lib/python2.7/site-packages/M2Crypto-0.21.1-py2.7-linux-x86_64.egg/M2Crypto/SSL/Checker.py",
    line 123, in __call__
    fieldName='commonName')
    WrongHost: Peer certificate commonName does not match host, expected
    ip-<internal-ip>.ec2.internal, got <external-ip>.

    Generating a certificate with an internal (= transient) IP does not make
    any sense. The only solution I see is disabling the domain check.

    It can be done by setting the M2Crypto's
    SSL.Connection.clientPostConnectionCheck variable to None.

    My questions:

    1. how to set that variable without modifying the scm agent code?

    2. if you managed to get your cluster working, how did you get around this
    problem?

    Thanks,

    -Mike


Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupscm-users @
categorieshadoop
postedJun 8, '13 at 4:52a
activeJun 8, '13 at 5:31a
posts2
users1
websitecloudera.com
irc#hadoop

1 user in discussion

Mike Ivanov: 2 posts

People

Translate

site design / logo © 2022 Grokbase