Pivotal Knowledge Base

Follow

gpload Error: "SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"

Environment

 Product  Version
 Pivotal Greenplum   4.3.x
 OS  RHEL 6.x

Symptom

When running gpload with gpfdists protocol, it fails and gives the following error message:

[gpadmin@mdw ~]$ gpload -f /tmp/gpload.yaml 
2016-12-05 16:56:20|INFO|gpload session started 2016-12-05 16:56:20
2016-12-05 16:56:20|INFO|started gpfdist --ssl /data/master/gpseg-1 -p 10008 -P 10009 -f "/tmp/gploadtest.txt" -t 30 -m 268435456
2016-12-05 16:56:24|ERROR|ERROR: connection with gpfdist failed for gpfdists://mdw:10008//tmp/gploadtest.txt. effective url: https://mdw:10008//tmp/gploadtest.txt. (seg12 slice1 sdw2:1029 pid=96784)
DETAIL: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 

Cause

The certificates are valid. However, they were generated on a server on which the time is set to about 20 minutes ahead of ETL servers running gpload.

So the error will be hit if the certificates are used immediately on ETL servers after being generated as the machine time was not in the valid period of certificates.

ETL node4 Date and Time (Where server certs are installed):

root@etl4 ~ $ date

Thu Dec  8 16:29:29 PST 2016


CA Authority Server Date and Time (From where certs are generated):

root@x000:~# date

Thu Dec  8 16:50:57 PST 2016

Valid period of certificates:

Validity

            Not Before: Dec  8 03:49:09 2016 GMT

            Not After : Nov 14 03:49:09 2116 GMT

Resolution

Synchronize time on server for generating certificate and all the severs on GPDB cluster. Better to synchronize with NPT servers. 

For the example given in this article another try in about 20 minutes after generation of certificates, gpload command could complete successfully. 

Comments

Powered by Zendesk