Certificate verification issues with Ambari plugin on recent CentOS/RHEL (>=7.4)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Sahara |
Triaged
|
Undecided
|
Unassigned |
Bug Description
The default SSL certificate, which is generated when the Ambari server is installed, is invalid.
I'm not sure whether the certificate are bundled with the rpm, or generated though the rpm scriptlets, or by sahara but anyway there are two solutions (see the article above):
- quick solution (which I tested): disable the verification of the CA for python applications, as it was until RHEL/CentOS 7.3. This requires a minimal change, easy to implement during the build, and while not the best security-wise, it's still not worse than before.
- long term solution: remove the existing certificate, so that it's properly generated when the server starts
My suggestions: we should probably go at least for the quick solution with both generators (sahara-image-pack and sahara-
Going forward, if we manage to fix the certificate, I think that it can be considered as a security improvement and be backported to older branches.
Changed in sahara: | |
status: | New → Triaged |
Reviewed: https:/ /review. openstack. org/543471 /git.openstack. org/cgit/ openstack/ sahara- image-elements/ commit/ ?id=6229ee0de96 f7e6846815335bc 198c1f24897d95
Committed: https:/
Submitter: Zuul
Branch: master
commit 6229ee0de96f7e6 846815335bc198c 1f24897d95
Author: Telles Nobrega <email address hidden>
Date: Mon Feb 12 11:14:15 2018 -0300
Disables CA checking for Ambari on Centos/RHEL
The default SSL certificate, which is generated when the Ambari server is
installed, is invalid.
We are disabling check for now.
Change-Id: Ifcbc931e2ca23c b1fe221d509f577 50e7e060aea
Partial-bug: #1748507