Sahara

Certificate verification issues with Ambari plugin on recent CentOS/RHEL (>=7.4)

Bug #1748507 reported by Luigi Toscano
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Sahara
Triaged
Undecided
Unassigned

Bug Description

The default SSL certificate, which is generated when the Ambari server is installed, is invalid.

https://community.hortonworks.com/questions/120861/ambari-agent-ssl-certificate-verify-failed-certifi.html?childToView=118105#answer-118105

I'm not sure whether the certificate are bundled with the rpm, or generated though the rpm scriptlets, or by sahara but anyway there are two solutions (see the article above):

 - quick solution (which I tested): disable the verification of the CA for python applications, as it was until RHEL/CentOS 7.3. This requires a minimal change, easy to implement during the build, and while not the best security-wise, it's still not worse than before.

 - long term solution: remove the existing certificate, so that it's properly generated when the server starts

My suggestions: we should probably go at least for the quick solution with both generators (sahara-image-pack and sahara-image-elements) and backport when relevant (otherwise Ambari is broken on current CentOS/RHEL). This means backporting the fixes to both plugins on Queens, and the fix for sahara-image-elements on Pike and Ocata.

Going forward, if we manage to fix the certificate, I think that it can be considered as a security improvement and be backported to older branches.

Telles Mota Vidal Nóbrega (tellesmvn)
Changed in sahara:
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to sahara-image-elements (master)

Reviewed: https://review.openstack.org/543471
Committed: https://git.openstack.org/cgit/openstack/sahara-image-elements/commit/?id=6229ee0de96f7e6846815335bc198c1f24897d95
Submitter: Zuul
Branch: master

commit 6229ee0de96f7e6846815335bc198c1f24897d95
Author: Telles Nobrega <email address hidden>
Date: Mon Feb 12 11:14:15 2018 -0300

    Disables CA checking for Ambari on Centos/RHEL

    The default SSL certificate, which is generated when the Ambari server is
    installed, is invalid.

    We are disabling check for now.

    Change-Id: Ifcbc931e2ca23cb1fe221d509f57750e7e060aea
    Partial-bug: #1748507

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to sahara (master)

Reviewed: https://review.openstack.org/529442
Committed: https://git.openstack.org/cgit/openstack/sahara/commit/?id=e97e0abb2b15da0e0f7400c26ad75cb10afe319b
Submitter: Zuul
Branch: master

commit e97e0abb2b15da0e0f7400c26ad75cb10afe319b
Author: Telles Nobrega <email address hidden>
Date: Wed Dec 20 21:47:46 2017 -0300

    Adding Ambari 2.4.2.0 to image gen

    We missed ambari 2.4.2.0 on ambari image gen

    Also we are disabling CA checking for Centos/RHEL because the default SSL
    certificate, which is generated when the Ambari server is installed, is
    invalid.

    Partial-bug: #1748507
    Change-Id: I272dbab4458c902af404a6365a8a43d56e4ed94e

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to sahara-image-elements (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/544622

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to sahara (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/544625

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to sahara-image-elements (stable/queens)

Reviewed: https://review.openstack.org/544622
Committed: https://git.openstack.org/cgit/openstack/sahara-image-elements/commit/?id=5a8a042c4a3779221850e1f42271091d515f00b7
Submitter: Zuul
Branch: stable/queens

commit 5a8a042c4a3779221850e1f42271091d515f00b7
Author: Telles Nobrega <email address hidden>
Date: Mon Feb 12 11:14:15 2018 -0300

    Disables CA checking for Ambari on Centos/RHEL

    The default SSL certificate, which is generated when the Ambari server is
    installed, is invalid.

    We are disabling check for now.

    Change-Id: Ifcbc931e2ca23cb1fe221d509f57750e7e060aea
    Partial-bug: #1748507
    (cherry picked from commit 6229ee0de96f7e6846815335bc198c1f24897d95)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to sahara (stable/queens)

Reviewed: https://review.openstack.org/544625
Committed: https://git.openstack.org/cgit/openstack/sahara/commit/?id=2729aeea218a33f25b369619bfc6dc42be265b59
Submitter: Zuul
Branch: stable/queens

commit 2729aeea218a33f25b369619bfc6dc42be265b59
Author: Telles Nobrega <email address hidden>
Date: Wed Dec 20 21:47:46 2017 -0300

    Adding Ambari 2.4.2.0 to image gen

    We missed ambari 2.4.2.0 on ambari image gen

    Also we are disabling CA checking for Centos/RHEL because the default SSL
    certificate, which is generated when the Ambari server is installed, is
    invalid.

    Partial-bug: #1748507
    Change-Id: I272dbab4458c902af404a6365a8a43d56e4ed94e
    (cherry picked from commit e97e0abb2b15da0e0f7400c26ad75cb10afe319b)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.