Ambari开启了ssl,根据日志,访问如下两个网址报错:
https://c2bde03:50470/jmx
https://c2bde03:50470/jmx?get=Hadoop:service=NameNode,name=FSNamesystem::tag.HAState
但通过如下操作可以正常访问:
curl https://c2bde03:50470/jmx --cacert /etc/security/ca-cert
此种情况多发生在自签名的证书,报错含义是签发证书机构未经认证,无法识别。
解决办法是将签发该证书的私有CA公钥cacert.pem文件内容(本人生成的是ca-cert),追加到 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
解决办法(将证书追加):
cd /etc/pki/ca-trust/extracted/pem/
cp tls-ca-bundle.pem tls-ca-bundle.pem.bak (先备份)
cat /etc/security/ca-cert >> tls-ca-bundle.pem
curl https://c2bde03:50470/jmx(访问正常)
另外注意个人创建CA的DN为:/C=cn/ST=changsha/L=hunan/O=chinacreator/OU=chinacreator/CN=AmbariCA
节点提供的DN:/C=cn/ST=changsha/L=hunan/O=chinacreator/OU=chinacreator/CN=c2bde02,
即CA DN 与certificate DN一定要不一样,否则会报:PEER'S CERTIFICATE HAS AN INVALID SIGNATURE.错误