When attempting to register Ambari Agents during initial cluster creation, or if hosts fail to appear as online in Ambari following an update, you may see the following error in Ambari's UI, or in the ambari-agent logs:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
This is due to a defect in newer releases of Python 2.7.5 which causes certificate validation to fail regardless of certificate status. This is outlined further @ https://community.hortonworks.com/questions/120861/ambari-agent-ssl-certificate-verify-failed-certifi.html.
As a workaround, we strongly recommend that Python not be updated to a version newer than python-2.7.5-48.el*.x86_64 (or downgraded to that version, if newer).
You can verify your release through python -V or python -c 'import sys; print(sys.version)' or yum list installed |grep python. You'll want to confirm that the major version is 2.7.5, the build is from Feb 2017 or older, and the full release is 2.7.5-48 or older.
Alternatively, you can disable certificate verification in Python if you wish to remain on a newer version:
sudo sed -i 's/^verify.*/verify=disable/' /etc/python/cert-verification.cfg