TT Bigdata TT Bigdata
首页
  • 部署专题

    • 常规安装
    • 一键部署
  • 组件专题

    • 安装指导
    • 魔改分享
  • 高阶玩法

    • 实战 Kerberos
    • 实战 Ranger
  • 版本专题

    • 更新说明
    • BUG临时处理
  • 实验室

    • VIEW插件
    • JIRA速查
  • Ambari-Env

    • 环境准备
    • 开始使用
  • 二开指导

    • 前端开发
    • 后端开发
  • 组件编译

    • 专区—Ambari
    • 专区—Bigtop-官方组件
    • 专区—Bigtop-扩展组件
  • 报错解决

    • 专区—Ambari
    • 专区—Bigtop
  • 其他技巧

    • APT仓库增量更新
    • Maven镜像加速
    • Gradle镜像加速
    • Bower镜像加速
    • 虚拟环境思路
    • R环境安装+一键安装脚本
    • Ivy配置私有镜像仓库
    • Node.js 多版本共存方案
    • Ambari Web本地启动
    • Npm镜像加速
    • PostgreSQL快速安装
    • Temurin JDK 23快速安装
  • 成神之路

    • 专区—Ambari
    • 专区—Ambari-Metrics
    • 专区—Bigtop
  • 集成案例

    • Redis集成教学
    • Dolphin集成教学
    • Doris集成教学
    • 持续整理...
  • 核心代码

    • 各组件代码
    • 通用代码模板
  • 国产化&其他系统

    • Kylin V10系列
    • Rocky系列
    • Ubuntu系列
  • Grafana监控方案

    • Ambari-Metrics插件
    • Infinity插件
  • 优化增强

    • 组件配置调优
  • 支持&共建

    • 蓝图愿景
    • 合作共建
    • 服务说明
登陆
GitHub (opens new window)

JaneTTR

数据酿造智慧,每一滴都是沉淀!
首页
  • 部署专题

    • 常规安装
    • 一键部署
  • 组件专题

    • 安装指导
    • 魔改分享
  • 高阶玩法

    • 实战 Kerberos
    • 实战 Ranger
  • 版本专题

    • 更新说明
    • BUG临时处理
  • 实验室

    • VIEW插件
    • JIRA速查
  • Ambari-Env

    • 环境准备
    • 开始使用
  • 二开指导

    • 前端开发
    • 后端开发
  • 组件编译

    • 专区—Ambari
    • 专区—Bigtop-官方组件
    • 专区—Bigtop-扩展组件
  • 报错解决

    • 专区—Ambari
    • 专区—Bigtop
  • 其他技巧

    • APT仓库增量更新
    • Maven镜像加速
    • Gradle镜像加速
    • Bower镜像加速
    • 虚拟环境思路
    • R环境安装+一键安装脚本
    • Ivy配置私有镜像仓库
    • Node.js 多版本共存方案
    • Ambari Web本地启动
    • Npm镜像加速
    • PostgreSQL快速安装
    • Temurin JDK 23快速安装
  • 成神之路

    • 专区—Ambari
    • 专区—Ambari-Metrics
    • 专区—Bigtop
  • 集成案例

    • Redis集成教学
    • Dolphin集成教学
    • Doris集成教学
    • 持续整理...
  • 核心代码

    • 各组件代码
    • 通用代码模板
  • 国产化&其他系统

    • Kylin V10系列
    • Rocky系列
    • Ubuntu系列
  • Grafana监控方案

    • Ambari-Metrics插件
    • Infinity插件
  • 优化增强

    • 组件配置调优
  • 支持&共建

    • 蓝图愿景
    • 合作共建
    • 服务说明
登陆
GitHub (opens new window)
  • 【方案一】自建 Kerberos 认证体系

  • 【方案二】FreeIPA认证体系——生产推荐

    • FreeIPA服务端初始化

    • FreeIPA客户端初始化及Ambari开启IPA认证

    • 部分踩坑-问题发现

    • 部分踩坑-完美解决

      • Ambari Server 启动失败:no valid keystore
        • 一、问题现象与根因分析
          • 1.1 同时出现的 openssl 异常
          • 1.2 问题本质总结
        • 二、修复思路:使用 FreeIPA 统一签发 HTTPS 证书
        • 三、修复步骤实操
          • 3.1 生成 CSR
          • 3.1.1 创建目录
          • 3.1.2 编写 CSR 配置
          • 3.1.3 生成私钥与 CSR
          • 3.2 使用 FreeIPA 签发证书
          • 3.3 拼接 fullchain
          • 3.4 生成 keystore.p12
          • 3.5 补齐 ca.crt
        • 四、重启与验证
          • 4.1 最终验证检查
    • 辅助测试

  • 其他优化技巧

  • 部分组件踩坑合集

  • 实战技巧

  • 其他技巧

  • 组件安装-Kerberos
  • 【方案二】FreeIPA认证体系——生产推荐
  • 部分踩坑-完美解决
JaneTTR
2026-02-14
目录

Ambari Server 启动失败:no valid keystore

# Ambari Server 启动失败:no valid keystore 修复实战(FreeIPA 签发证书)

需要 ttr-release 版本 >= 2.2.3

Ambari 3.0.0 + Free IPA 部署与认证体系构建,支持 Kylin、Ubuntu、Rocky 系统等 本文环境:Kylin V10 SP3 x86,Realm = TEST.COM

# 一、问题现象与根因分析

安装 FreeIPA Client 之后,Ambari Server 启动失败,日志中出现如下异常:


avax.ws.rs.core.UriInfo,java.lang.String), should not consume any entity.
WARNING: A HTTP GET method, public javax.ws.rs.core.Response org.apache.ambari.server.api.services.users.UserService.getUsers(java.lang.String,javax.ws.rs.core.HttpHeaders,javax.ws.rs.core.UriInfo), should not consume any entity.
WARNING: A HTTP GET method, public javax.ws.rs.core.Response org.apache.ambari.server.api.services.views.ViewService.getView(java.lang.String,javax.ws.rs.core.HttpHeaders,javax.ws.rs.core.UriInfo,java.lang.String), should not consume any entity.
WARNING: A HTTP GET method, public javax.ws.rs.core.Response org.apache.ambari.server.api.services.views.ViewService.getViews(java.lang.String,javax.ws.rs.core.HttpHeaders,javax.ws.rs.core.UriInfo), should not consume any entity.
WARNING: A HTTP GET method, public javax.ws.rs.core.Response org.apache.ambari.server.api.services.views.ViewVersionService.getVersion(java.lang.String,javax.ws.rs.core.HttpHeaders,javax.ws.rs.core.UriInfo,java.lang.String,java.lang.String), should not consume any entity.
WARNING: A HTTP GET method, public javax.ws.rs.core.Response org.apache.ambari.server.api.services.views.ViewVersionService.getVersions(java.lang.String,javax.ws.rs.core.HttpHeaders,javax.ws.rs.core.UriInfo,java.lang.String), should not consume any entity.

2026-02-06 15:10:06,952 ERROR [main] o.a.a.server.controller.AmbariServer:1111 - Failed to run the Ambari Server
org.eclipse.jetty.util.MultiException: Multiple exceptions
        at org.eclipse.jetty.util.MultiException.ifExceptionThrow(MultiException.java:124)
        at org.eclipse.jetty.server.Server.doStart(Server.java:406)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at org.apache.ambari.server.controller.AmbariServer.run(AmbariServer.java:568)
        at org.apache.ambari.server.controller.AmbariServer.main(AmbariServer.java:1105)
        Suppressed: [CIRCULAR REFERENCE: java.lang.IllegalStateException: no valid keystore]
        Suppressed: java.lang.IllegalStateException: no valid keystore
                at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:50)
                at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1089)
                at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:274)
                at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:241)
                at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
                at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
                at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
                at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:94)
                at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
                at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
                at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
                at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:282)
                at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
                at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235)
                at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
                at org.eclipse.jetty.server.Server.doStart(Server.java:395)
                ... 3 common frames omitted
Caused by: java.lang.IllegalStateException: no valid keystore
        at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:50)
        at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1089)
        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:274)
        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:241)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:94)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:282)
        at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
        at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at org.eclipse.jetty.server.Server.doStart(Server.java:395)
        ... 3 common frames omitted
2026-02-06 15:10:06,952 ERROR [main] o.a.a.server.controller.AmbariServer:1111 - Failed to run the Ambari Server
org.eclipse.jetty.util.MultiException: Multiple exceptions
        at org.eclipse.jetty.util.MultiException.ifExceptionThrow(MultiException.java:124)
        at org.eclipse.jetty.server.Server.doStart(Server.java:406)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at org.apache.ambari.server.controller.AmbariServer.run(AmbariServer.java:568)
        at org.apache.ambari.server.controller.AmbariServer.main(AmbariServer.java:1105)
        Suppressed: [CIRCULAR REFERENCE: java.lang.IllegalStateException: no valid keystore]
        Suppressed: java.lang.IllegalStateException: no valid keystore
                at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:50)
                at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1089)
                at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:274)
                at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:241)
                at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
                at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
                at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
                at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:94)
                at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
                at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
                at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
                at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:282)
                at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
                at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235)
                at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
                at org.eclipse.jetty.server.Server.doStart(Server.java:395)
                ... 3 common frames omitted
Caused by: java.lang.IllegalStateException: no valid keystore
        at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:50)
        at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1089)
        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:274)
        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:241)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:94)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:282)
        at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
        at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at org.eclipse.jetty.server.Server.doStart(Server.java:395)
        ... 3 common frames omitted
2026-02-06 15:10:06,959 INFO  [main] o.s.m.s.b.SimpleBrokerMessageHandler:117 - Stopping...
2026-02-06 15:10:06,959 INFO  [main] o.s.m.s.b.SimpleBrokerMessageHandler:117 - BrokerAvailabilityEvent[available=false, SimpleBrokerMessageHandler [DefaultSubscriptionRegistry[cache[0 destination(s)], registry[0 sessions]]]]
2026-02-06 15:10:06,959 INFO  [main] o.s.m.s.b.SimpleBrokerMessageHandler:117 - Stopped.
[root@dev1 ambari-server]# 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101

完整堆栈:

026-02-14 10:23:07,706 INFO  [main] o.a.a.server.utils.ShellCommandUtil:64 - Command openssl genrsa -des3 -passout pass:**** -out /var/lib/ambari-server/keys/ca.key 4096  was finished with exit code: 0 - the operation was completely successfully.
2026-02-14 10:23:07,706 INFO  [main] o.a.a.server.utils.ShellCommandUtil:64 - Command openssl genrsa -des3 -passout pass:**** -out /var/lib/ambari-server/keys/ca.key 4096  was finished with exit code: 0 - the operation was completely successfully.
2026-02-14 10:23:07,715 WARN  [main] o.a.a.server.utils.ShellCommandUtil:66 - Command openssl req -passin pass:**** -new -key /var/lib/ambari-server/keys/ca.key -out /var/lib/ambari-server/keys/ca.csr -batch was finished with exit code: 1 - an error occurred parsing the command options.
2026-02-14 10:23:07,715 WARN  [main] o.a.a.server.utils.ShellCommandUtil:66 - Command openssl req -passin pass:**** -new -key /var/lib/ambari-server/keys/ca.key -out /var/lib/ambari-server/keys/ca.csr -batch was finished with exit code: 1 - an error occurred parsing the command options.
2026-02-14 10:23:07,722 WARN  [main] o.a.a.server.utils.ShellCommandUtil:66 - Command openssl ca -create_serial -out /var/lib/ambari-server/keys/ca.crt -days 365 -keyfile /var/lib/ambari-server/keys/ca.key -key **** -selfsign -extensions jdk7_ca -config /var/lib/ambari-server/keys/ca.config -batch -infiles /var/lib/ambari-server/keys/ca.csr was finished with exit code: 1 - an error occurred parsing the command options.
2026-02-14 10:23:07,722 WARN  [main] o.a.a.server.utils.ShellCommandUtil:66 - Command openssl ca -create_serial -out /var/lib/ambari-server/keys/ca.crt -days 365 -keyfile /var/lib/ambari-server/keys/ca.key -key **** -selfsign -extensions jdk7_ca -config /var/lib/ambari-server/keys/ca.config -batch -infiles /var/lib/ambari-server/keys/ca.csr was finished with exit code: 1 - an error occurred parsing the command options.
2026-02-14 10:23:07,730 WARN  [main] o.a.a.server.utils.ShellCommandUtil:66 - Command openssl pkcs12 -export -in /var/lib/ambari-server/keys/ca.crt -inkey /var/lib/ambari-server/keys/ca.key -certfile /var/lib/ambari-server/keys/ca.crt -out /var/lib/ambari-server/keys/keystore.p12 -password pass:**** -passin pass:**** 
 was finished with exit code: 1 - an error occurred parsing the command options.
2026-02-14 10:23:07,730 WARN  [main] o.a.a.server.utils.ShellCommandUtil:66 - Command openssl pkcs12 -export -in /var/lib/ambari-server/keys/ca.crt -inkey /var/lib/ambari-server/keys/ca.key -certfile /var/lib/ambari-server/keys/ca.crt -out /var/lib/ambari-server/keys/keystore.p12 -password pass:**** -passin pass:**** 
 was finished with exit code: 1 - an error occurred parsing the command options.
2026-02-14 10:23:07,738 INFO  [main] o.a.a.server.utils.ShellCommandUtil:64 - Command find /var/lib/ambari-server/keys -type f -exec chmod 700 {} + was finished with exit code: 0 - the operation was completely successfully.
2026-02-14 10:23:07,738 INFO  [main] o.a.a.server.utils.ShellCommandUtil:64 - Command find /var/lib/ambari-server/keys -type f -exec chmod 700 {} + was finished with exit code: 0 - the operation was completely successfully.
2026-02-14 10:23:07,744 INFO  [main] o.a.a.server.utils.ShellCommandUtil:64 - Command chmod 600 /var/lib/ambari-server/keys/pass.txt was finished with exit code: 0 - the operation was completely successfully.
2026-02-14 10:23:07,744 INFO  [main] o.a.a.server.utils.ShellCommandUtil:64 - Command chmod 600 /var/lib/ambari-server/keys/pass.txt was finished with exit code: 0 - the operation was completely successfully.
2026-02-14 10:23:07,744 INFO  [main] o.a.a.s.c.utilities.KerberosChecker:128 - Skipping Ambari Server Kerberos credentials check.
2026-02-14 10:23:07,744 INFO  [main] o.a.a.s.c.utilities.KerberosChecker:128 - Skipping Ambari Server Kerberos credentials check.
2026-02-14 10:23:07,745 ERROR [main] o.a.a.s.s.e.MasterKeyServiceImpl:278 - Cannot read master key property {1} or master key file property {3} from environment
2026-02-14 10:23:07,745 ERROR [main] o.a.a.s.s.e.MasterKeyServiceImpl:278 - Cannot read master key property {1} or master key file property {3} from environment
2026-02-14 10:23:07,745 INFO  [main] o.a.a.server.utils.PasswordUtils:176 - Credential provider creation failed
org.apache.ambari.server.AmbariException: Master key initialization failed.
        at org.apache.ambari.server.security.encryption.CredentialProvider.<init>(CredentialProvider.java:54)
        at org.apache.ambari.server.utils.PasswordUtils.loadCredentialProvider(PasswordUtils.java:174)
        at org.apache.ambari.server.utils.PasswordUtils.readPasswordFromStore(PasswordUtils.java:149)
        at org.apache.ambari.server.configuration.ComponentSSLConfiguration.getPassword(ComponentSSLConfiguration.java:121)
        at org.apache.ambari.server.configuration.ComponentSSLConfiguration.init(ComponentSSLConfiguration.java:63)
        at org.apache.ambari.server.controller.AmbariServer.main(AmbariServer.java:1104)
2026-02-14 10:23:07,745 INFO  [main] o.a.a.server.utils.PasswordUtils:176 - Credential provider creation failed
org.apache.ambari.server.AmbariException: Master key initialization failed.
        at org.apache.ambari.server.security.encryption.CredentialProvider.<init>(CredentialProvider.java:54)
        at org.apache.ambari.server.utils.PasswordUtils.loadCredentialProvider(PasswordUtils.java:174)
        at org.apache.ambari.server.utils.PasswordUtils.readPasswordFromStore(PasswordUtils.java:149)
        at org.apache.ambari.server.configuration.ComponentSSLConfiguration.getPassword(ComponentSSLConfiguration.java:121)
        at org.apache.ambari.server.configuration.ComponentSSLConfiguration.init(ComponentSSLConfiguration.java:63)
        at org.apache.ambari.server.controller.AmbariServer.main(AmbariServer.java:1104)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

截图如下:

image-20260214102918509

# 1.1 同时出现的 openssl 异常

日志中还能看到:

openssl req ... exit code: 1 - an error occurred parsing the command options.
openssl ca  ... exit code: 1 - an error occurred parsing the command options.
openssl pkcs12 ... exit code: 1 - an error occurred parsing the command options.
1
2
3

以及:

Master key initialization failed.
Cannot read master key property from environment
1
2

说明:

  • Ambari 默认自签证书流程执行失败
  • keystore.p12 未生成或无效
  • Jetty 无法加载 SSL 上下文

# 1.2 问题本质总结

现象 根因
no valid keystore keystore.p12 不存在或损坏
Master key failed 默认 SSL 生成流程异常
Jetty 启动失败 HTTPS Connector 初始化失败

注意

Ambari HTTPS 启动依赖 keystore.p12,一旦该文件异常,Server 必然无法启动。

# 二、修复思路:使用 FreeIPA 统一签发 HTTPS 证书

既然当前环境已经加入 FreeIPA Realm,推荐直接:

  1. 生成 CSR
  2. 使用 FreeIPA 以 HTTP/dev1.test.com@TEST.COM 签发证书
  3. 拼接 fullchain
  4. 生成 keystore.p12
  5. 替换 Ambari keys 目录文件
  6. 重启服务

整体流程如下:

CSR → IPA 签发 → fullchain → PKCS12 → 替换 → 重启
1

# 三、修复步骤实操

# 3.1 生成 CSR

# 3.1.1 创建目录

install -d -m 0755 /etc/pki/tls/certs /etc/pki/tls/private
chmod 0700 /etc/pki/tls/private
1
2

# 3.1.2 编写 CSR 配置

cat >/tmp/ambari-req.cnf <<'EOF'
[ req ]
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[ dn ]
CN = dev1.test.com
O  = TEST.COM

[ req_ext ]
subjectAltName = @alt

[ alt ]
DNS.1 = dev1.test.com
EOF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

# 3.1.3 生成私钥与 CSR

openssl req -new -nodes -newkey rsa:2048 \
  -keyout /etc/pki/tls/private/ambari-server.key \
  -out /tmp/ambari-server.csr \
  -config /tmp/ambari-req.cnf
1
2
3
4

执行效果如下:

image-20260214103122130

# 3.2 使用 FreeIPA 签发证书

ipa cert-request /tmp/ambari-server.csr \
  --principal=HTTP/dev1.test.com@TEST.COM \
  --certificate-out=/etc/pki/tls/certs/ambari-server.crt
1
2
3

若出现:

ipa: ERROR: cannot connect to 'https://ipa.test.com/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1091)
1

截图如下:

image-20260214103255131

先执行:

kinit admin
1

然后重新签发。

签发成功示例如下:

image-20260214110402143

# 3.3 拼接 fullchain

cat /etc/pki/tls/certs/ambari-server.crt \
    /etc/ipa/ca.crt \
> /etc/pki/tls/certs/ambari-server-fullchain.crt

ls -l /etc/pki/tls/certs/ambari-server-fullchain.crt
1
2
3
4
5

效果如下:

image-20260214110730852

# 3.4 生成 keystore.p12

读取密码:

PASS="$(cat /var/lib/ambari-server/keys/pass.txt)"
1

生成 PKCS12:

openssl pkcs12 -export \
  -in /etc/pki/tls/certs/ambari-server-fullchain.crt \
  -inkey /etc/pki/tls/private/ambari-server.key \
  -name ambari \
  -out /var/lib/ambari-server/keys/keystore.p12 \
  -passout pass:"$PASS"
1
2
3
4
5
6

检查生成结果:

image-20260214110816173

# 3.5 补齐 ca.crt

cp -f /etc/ipa/ca.crt /var/lib/ambari-server/keys/ca.crt
chmod 0644 /var/lib/ambari-server/keys/ca.crt
1
2

效果如下:

image-20260214111021174

# 四、重启与验证

重启 Ambari:

ambari-server restart
1

启动成功示例如下:

image-20260214111708269

# 4.1 最终验证检查

image-20260214132212732

笔记

左侧是未使用ipa时目录结构,右侧是使用ipa时的目录结构

#Ambari#FreeIPA#Kerberos#SSL#Keystore#Jetty#HTTPS
FreeIPA Client 导致 Ambari 权限异常问题排查
FreeIPA Client 调试安装速记

← FreeIPA Client 导致 Ambari 权限异常问题排查 FreeIPA Client 调试安装速记→

最近更新
01
Ranger Admin LDAP 认证报 Bad credentials 分析
02-15
02
Ranger Admin LDAP 认证报 Bad credentials 处理
02-15
03
Ranger Admin 证书快速导入脚本
02-15
更多文章>
Theme by Vdoing | Copyright © 2017-2026 JaneTTR | MIT License
  • 跟随系统
  • 浅色模式
  • 深色模式
  • 阅读模式