Follow

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

Issue:

When attempting to register Ambari Agents during initial cluster creation, or if hosts fail to appear as online in Ambari following an update, you may see the following error in Ambari's UI, or in the ambari-agent logs:

  • [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

Cause:

This is due to a defect in newer releases of Python 2.7.5 (build 58 or greater) which causes certificate validation to fail regardless of certificate status. This is outlined further in the following link:

Additionally, this can be caused by updating to a newer release of JDK above 1.8.0_131 where TLS v1 has been disabled. Note that this is not applicable if using Ambari 2.5.x or higher, as this is already the default.

Resolution Steps:

NOTE: We strongly recommend that Python is NOT updated to a version newer than python-2.7.5-48.el*.x86_64. If it is newer, downgrade if possible.

  1. To verify the version of python that is currently installed, SSH to all nodes in the Interset Cluster as a user with sudo permissions, and please execute the following command:
    • sudo yum list installed |grep python.x86_64
  2. The output from the command above will be similar to the following:
    • audit-libs-python.x86_64 2.7.6-3.el7 installed
    • dbus-python.x86_64 1.1.1-9.el7 installed
    • libselinux-python.x86_64 2.5-11.el7 installed
    • libsemanage-python.x86_64 2.5-8.el7 installed
    • libxml2-python.x86_64 2.9.1-6.el7_2.3 installed
    • newt-python.x86_64 0.52.15-4.el7 installed
    • policycoreutils-python.x86_64 2.5-17.1.el7 installed
    • python.x86_64 2.7.5-58.el7 installed
    • rpm-python.x86_64 4.11.3-25.el7 installed
  3. Look for the following line:
    • python.x86_64 2.7.5-XX.elY
      • NOTE:
        • XX denotes the build version of Python 2.7.5. If build 58 or greater, please continue with the steps below. If build 57 or less, there are no changes required. 
        • Y denotes the Linux version
  4. If the Python version listed is 2.7.5-58 or greater, please execute the following command to disable Python certificate validation:
    • sudo sed -i 's/^verify.*/verify=disable/' /etc/python/cert-verification.cfg

In the event that this is caused by a newer Java release, rather than Python, the following line needs to be added to /etc/ambari-agent/conf/ambari-agent.ini on all nodes in the [security] section of the file:

force_https_protocol=PROTOCOL_TLSv1_2

Applies To

  • Interset 5.4.x or higher
  • Python 2.7.5-58 or higher
  • JDK 1.8.0_132 or higher

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments