Ambari Server 启动失败:no valid keystore
# Ambari Server 启动失败:no valid keystore 修复实战(FreeIPA 签发证书)
需要 ttr-release 版本 >= 2.2.3
Ambari 3.0.0 + Free IPA 部署与认证体系构建,支持 Kylin、Ubuntu、Rocky 系统等 本文环境:Kylin V10 SP3 x86,Realm = TEST.COM
# 一、问题现象与根因分析
安装 FreeIPA Client 之后,Ambari Server 启动失败,日志中出现如下异常:
avax.ws.rs.core.UriInfo,java.lang.String), should not consume any entity.
WARNING: A HTTP GET method, public javax.ws.rs.core.Response org.apache.ambari.server.api.services.users.UserService.getUsers(java.lang.String,javax.ws.rs.core.HttpHeaders,javax.ws.rs.core.UriInfo), should not consume any entity.
WARNING: A HTTP GET method, public javax.ws.rs.core.Response org.apache.ambari.server.api.services.views.ViewService.getView(java.lang.String,javax.ws.rs.core.HttpHeaders,javax.ws.rs.core.UriInfo,java.lang.String), should not consume any entity.
WARNING: A HTTP GET method, public javax.ws.rs.core.Response org.apache.ambari.server.api.services.views.ViewService.getViews(java.lang.String,javax.ws.rs.core.HttpHeaders,javax.ws.rs.core.UriInfo), should not consume any entity.
WARNING: A HTTP GET method, public javax.ws.rs.core.Response org.apache.ambari.server.api.services.views.ViewVersionService.getVersion(java.lang.String,javax.ws.rs.core.HttpHeaders,javax.ws.rs.core.UriInfo,java.lang.String,java.lang.String), should not consume any entity.
WARNING: A HTTP GET method, public javax.ws.rs.core.Response org.apache.ambari.server.api.services.views.ViewVersionService.getVersions(java.lang.String,javax.ws.rs.core.HttpHeaders,javax.ws.rs.core.UriInfo,java.lang.String), should not consume any entity.
2026-02-06 15:10:06,952 ERROR [main] o.a.a.server.controller.AmbariServer:1111 - Failed to run the Ambari Server
org.eclipse.jetty.util.MultiException: Multiple exceptions
at org.eclipse.jetty.util.MultiException.ifExceptionThrow(MultiException.java:124)
at org.eclipse.jetty.server.Server.doStart(Server.java:406)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.apache.ambari.server.controller.AmbariServer.run(AmbariServer.java:568)
at org.apache.ambari.server.controller.AmbariServer.main(AmbariServer.java:1105)
Suppressed: [CIRCULAR REFERENCE: java.lang.IllegalStateException: no valid keystore]
Suppressed: java.lang.IllegalStateException: no valid keystore
at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:50)
at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1089)
at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:274)
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:241)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:94)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:282)
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.server.Server.doStart(Server.java:395)
... 3 common frames omitted
Caused by: java.lang.IllegalStateException: no valid keystore
at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:50)
at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1089)
at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:274)
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:241)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:94)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:282)
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.server.Server.doStart(Server.java:395)
... 3 common frames omitted
2026-02-06 15:10:06,952 ERROR [main] o.a.a.server.controller.AmbariServer:1111 - Failed to run the Ambari Server
org.eclipse.jetty.util.MultiException: Multiple exceptions
at org.eclipse.jetty.util.MultiException.ifExceptionThrow(MultiException.java:124)
at org.eclipse.jetty.server.Server.doStart(Server.java:406)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.apache.ambari.server.controller.AmbariServer.run(AmbariServer.java:568)
at org.apache.ambari.server.controller.AmbariServer.main(AmbariServer.java:1105)
Suppressed: [CIRCULAR REFERENCE: java.lang.IllegalStateException: no valid keystore]
Suppressed: java.lang.IllegalStateException: no valid keystore
at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:50)
at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1089)
at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:274)
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:241)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:94)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:282)
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.server.Server.doStart(Server.java:395)
... 3 common frames omitted
Caused by: java.lang.IllegalStateException: no valid keystore
at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:50)
at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1089)
at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:274)
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:241)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:94)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:282)
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.server.Server.doStart(Server.java:395)
... 3 common frames omitted
2026-02-06 15:10:06,959 INFO [main] o.s.m.s.b.SimpleBrokerMessageHandler:117 - Stopping...
2026-02-06 15:10:06,959 INFO [main] o.s.m.s.b.SimpleBrokerMessageHandler:117 - BrokerAvailabilityEvent[available=false, SimpleBrokerMessageHandler [DefaultSubscriptionRegistry[cache[0 destination(s)], registry[0 sessions]]]]
2026-02-06 15:10:06,959 INFO [main] o.s.m.s.b.SimpleBrokerMessageHandler:117 - Stopped.
[root@dev1 ambari-server]#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
完整堆栈:
026-02-14 10:23:07,706 INFO [main] o.a.a.server.utils.ShellCommandUtil:64 - Command openssl genrsa -des3 -passout pass:**** -out /var/lib/ambari-server/keys/ca.key 4096 was finished with exit code: 0 - the operation was completely successfully.
2026-02-14 10:23:07,706 INFO [main] o.a.a.server.utils.ShellCommandUtil:64 - Command openssl genrsa -des3 -passout pass:**** -out /var/lib/ambari-server/keys/ca.key 4096 was finished with exit code: 0 - the operation was completely successfully.
2026-02-14 10:23:07,715 WARN [main] o.a.a.server.utils.ShellCommandUtil:66 - Command openssl req -passin pass:**** -new -key /var/lib/ambari-server/keys/ca.key -out /var/lib/ambari-server/keys/ca.csr -batch was finished with exit code: 1 - an error occurred parsing the command options.
2026-02-14 10:23:07,715 WARN [main] o.a.a.server.utils.ShellCommandUtil:66 - Command openssl req -passin pass:**** -new -key /var/lib/ambari-server/keys/ca.key -out /var/lib/ambari-server/keys/ca.csr -batch was finished with exit code: 1 - an error occurred parsing the command options.
2026-02-14 10:23:07,722 WARN [main] o.a.a.server.utils.ShellCommandUtil:66 - Command openssl ca -create_serial -out /var/lib/ambari-server/keys/ca.crt -days 365 -keyfile /var/lib/ambari-server/keys/ca.key -key **** -selfsign -extensions jdk7_ca -config /var/lib/ambari-server/keys/ca.config -batch -infiles /var/lib/ambari-server/keys/ca.csr was finished with exit code: 1 - an error occurred parsing the command options.
2026-02-14 10:23:07,722 WARN [main] o.a.a.server.utils.ShellCommandUtil:66 - Command openssl ca -create_serial -out /var/lib/ambari-server/keys/ca.crt -days 365 -keyfile /var/lib/ambari-server/keys/ca.key -key **** -selfsign -extensions jdk7_ca -config /var/lib/ambari-server/keys/ca.config -batch -infiles /var/lib/ambari-server/keys/ca.csr was finished with exit code: 1 - an error occurred parsing the command options.
2026-02-14 10:23:07,730 WARN [main] o.a.a.server.utils.ShellCommandUtil:66 - Command openssl pkcs12 -export -in /var/lib/ambari-server/keys/ca.crt -inkey /var/lib/ambari-server/keys/ca.key -certfile /var/lib/ambari-server/keys/ca.crt -out /var/lib/ambari-server/keys/keystore.p12 -password pass:**** -passin pass:****
was finished with exit code: 1 - an error occurred parsing the command options.
2026-02-14 10:23:07,730 WARN [main] o.a.a.server.utils.ShellCommandUtil:66 - Command openssl pkcs12 -export -in /var/lib/ambari-server/keys/ca.crt -inkey /var/lib/ambari-server/keys/ca.key -certfile /var/lib/ambari-server/keys/ca.crt -out /var/lib/ambari-server/keys/keystore.p12 -password pass:**** -passin pass:****
was finished with exit code: 1 - an error occurred parsing the command options.
2026-02-14 10:23:07,738 INFO [main] o.a.a.server.utils.ShellCommandUtil:64 - Command find /var/lib/ambari-server/keys -type f -exec chmod 700 {} + was finished with exit code: 0 - the operation was completely successfully.
2026-02-14 10:23:07,738 INFO [main] o.a.a.server.utils.ShellCommandUtil:64 - Command find /var/lib/ambari-server/keys -type f -exec chmod 700 {} + was finished with exit code: 0 - the operation was completely successfully.
2026-02-14 10:23:07,744 INFO [main] o.a.a.server.utils.ShellCommandUtil:64 - Command chmod 600 /var/lib/ambari-server/keys/pass.txt was finished with exit code: 0 - the operation was completely successfully.
2026-02-14 10:23:07,744 INFO [main] o.a.a.server.utils.ShellCommandUtil:64 - Command chmod 600 /var/lib/ambari-server/keys/pass.txt was finished with exit code: 0 - the operation was completely successfully.
2026-02-14 10:23:07,744 INFO [main] o.a.a.s.c.utilities.KerberosChecker:128 - Skipping Ambari Server Kerberos credentials check.
2026-02-14 10:23:07,744 INFO [main] o.a.a.s.c.utilities.KerberosChecker:128 - Skipping Ambari Server Kerberos credentials check.
2026-02-14 10:23:07,745 ERROR [main] o.a.a.s.s.e.MasterKeyServiceImpl:278 - Cannot read master key property {1} or master key file property {3} from environment
2026-02-14 10:23:07,745 ERROR [main] o.a.a.s.s.e.MasterKeyServiceImpl:278 - Cannot read master key property {1} or master key file property {3} from environment
2026-02-14 10:23:07,745 INFO [main] o.a.a.server.utils.PasswordUtils:176 - Credential provider creation failed
org.apache.ambari.server.AmbariException: Master key initialization failed.
at org.apache.ambari.server.security.encryption.CredentialProvider.<init>(CredentialProvider.java:54)
at org.apache.ambari.server.utils.PasswordUtils.loadCredentialProvider(PasswordUtils.java:174)
at org.apache.ambari.server.utils.PasswordUtils.readPasswordFromStore(PasswordUtils.java:149)
at org.apache.ambari.server.configuration.ComponentSSLConfiguration.getPassword(ComponentSSLConfiguration.java:121)
at org.apache.ambari.server.configuration.ComponentSSLConfiguration.init(ComponentSSLConfiguration.java:63)
at org.apache.ambari.server.controller.AmbariServer.main(AmbariServer.java:1104)
2026-02-14 10:23:07,745 INFO [main] o.a.a.server.utils.PasswordUtils:176 - Credential provider creation failed
org.apache.ambari.server.AmbariException: Master key initialization failed.
at org.apache.ambari.server.security.encryption.CredentialProvider.<init>(CredentialProvider.java:54)
at org.apache.ambari.server.utils.PasswordUtils.loadCredentialProvider(PasswordUtils.java:174)
at org.apache.ambari.server.utils.PasswordUtils.readPasswordFromStore(PasswordUtils.java:149)
at org.apache.ambari.server.configuration.ComponentSSLConfiguration.getPassword(ComponentSSLConfiguration.java:121)
at org.apache.ambari.server.configuration.ComponentSSLConfiguration.init(ComponentSSLConfiguration.java:63)
at org.apache.ambari.server.controller.AmbariServer.main(AmbariServer.java:1104)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
截图如下:
# 1.1 同时出现的 openssl 异常
日志中还能看到:
openssl req ... exit code: 1 - an error occurred parsing the command options.
openssl ca ... exit code: 1 - an error occurred parsing the command options.
openssl pkcs12 ... exit code: 1 - an error occurred parsing the command options.
1
2
3
2
3
以及:
Master key initialization failed.
Cannot read master key property from environment
1
2
2
说明:
- Ambari 默认自签证书流程执行失败
- keystore.p12 未生成或无效
- Jetty 无法加载 SSL 上下文
# 1.2 问题本质总结
| 现象 | 根因 |
|---|---|
| no valid keystore | keystore.p12 不存在或损坏 |
| Master key failed | 默认 SSL 生成流程异常 |
| Jetty 启动失败 | HTTPS Connector 初始化失败 |
注意
Ambari HTTPS 启动依赖 keystore.p12,一旦该文件异常,Server 必然无法启动。
# 二、修复思路:使用 FreeIPA 统一签发 HTTPS 证书
既然当前环境已经加入 FreeIPA Realm,推荐直接:
- 生成 CSR
- 使用 FreeIPA 以
HTTP/dev1.test.com@TEST.COM签发证书 - 拼接 fullchain
- 生成 keystore.p12
- 替换 Ambari keys 目录文件
- 重启服务
整体流程如下:
CSR → IPA 签发 → fullchain → PKCS12 → 替换 → 重启
1
# 三、修复步骤实操
# 四、重启与验证
重启 Ambari:
ambari-server restart
1
启动成功示例如下:
# 4.1 最终验证检查
笔记
左侧是未使用ipa时目录结构,右侧是使用ipa时的目录结构
- 03
- Ranger Admin 证书快速导入脚本02-15