Hi,
I'm trying to get a cluster working with TLS enabled on EC2.
This is what I see in /var/log/cloudera-scm-agent/cloudera-scm-agent.log:
Traceback (most recent call last):
File "/usr/lib/cmf/agent/src/cmf/agent.py", line 729, in send_heartbeat
self.client_keypw_file)
File "/usr/lib/cmf/agent/src/cmf/https.py", line 85, in __init__
self.conn.connect()
File
"/usr/lib/cmf/agent/build/env/lib/python2.7/site-packages/M2Crypto-0.21.1-py2.7-linux-x86_64.egg/M2Crypto/httpslib.py",
line 50, in connect
self.sock.connect((self.host, self.port))
File
"/usr/lib/cmf/agent/build/env/lib/python2.7/site-packages/M2Crypto-0.21.1-py2.7-linux-x86_64.egg/M2Crypto/SSL/Connection.py",
line 188, in connect
if not check(self.get_peer_cert(), self.addr[0]):
File
"/usr/lib/cmf/agent/build/env/lib/python2.7/site-packages/M2Crypto-0.21.1-py2.7-linux-x86_64.egg/M2Crypto/SSL/Checker.py",
line 123, in __call__
fieldName='commonName')
WrongHost: Peer certificate commonName does not match host, expected
ip-<internal-ip>.ec2.internal, got <external-ip>.
Generating a certificate with an internal (= transient) IP does not make
any sense. The only solution I see is disabling the domain check.
It can be done by setting the M2Crypto's
SSL.Connection.clientPostConnectionCheck variable to None.
My questions:
1. how to set that variable without modifying the scm agent code?
2. if you managed to get your cluster working, how did you get around this
problem?
Thanks,
-Mike
