Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid Certificate For EMR job result of different domain #621

Closed
ocrickard opened this issue Apr 12, 2013 · 2 comments
Closed

Invalid Certificate For EMR job result of different domain #621

ocrickard opened this issue Apr 12, 2013 · 2 comments
Labels
Bug
Milestone
v0.4.1

Comments

@ocrickard
Copy link

First off, thanks for the work on this! Really looking useful to us.

We've had a problem getting our MRJob onto EMR recently due to this somewhat cryptic error:

Creating Elastic MapReduce job flow
Traceback (most recent call last):
  File "mr_extractor.py", line 32, in <module>
    MREmailExtractor.run()
  File "/Library/Python/2.7/site-packages/mrjob-0.4_dev-py2.7.egg/mrjob/job.py", line 483, in run
    mr_job.execute()
  File "/Library/Python/2.7/site-packages/mrjob-0.4_dev-py2.7.egg/mrjob/job.py", line 501, in execute
    super(MRJob, self).execute()
  File "/Library/Python/2.7/site-packages/mrjob-0.4_dev-py2.7.egg/mrjob/launch.py", line 146, in execute
    self.run_job()
  File "/Library/Python/2.7/site-packages/mrjob-0.4_dev-py2.7.egg/mrjob/launch.py", line 207, in run_job
    runner.run()
  File "/Library/Python/2.7/site-packages/mrjob-0.4_dev-py2.7.egg/mrjob/runner.py", line 449, in run
    self._run()
  File "/Library/Python/2.7/site-packages/mrjob-0.4_dev-py2.7.egg/mrjob/emr.py", line 843, in _run
    self._launch_emr_job()
  File "/Library/Python/2.7/site-packages/mrjob-0.4_dev-py2.7.egg/mrjob/emr.py", line 1435, in _launch_emr_job
    persistent=False, steps=steps)
  File "/Library/Python/2.7/site-packages/mrjob-0.4_dev-py2.7.egg/mrjob/emr.py", line 1200, in _create_job_flow
    self._job_name, self._opts['s3_log_uri'], **args)
  File "/Library/Python/2.7/site-packages/mrjob-0.4_dev-py2.7.egg/mrjob/retry.py", line 80, in call_and_maybe_retry
    return f(*args, **kwargs)
  File "/Library/Python/2.7/site-packages/boto/emr/connection.py", line 379, in run_jobflow
    'RunJobFlow', params, RunJobFlowResponse, verb='POST')
  File "/Library/Python/2.7/site-packages/boto/connection.py", line 1048, in get_object
    response = self.make_request(action, params, path, verb)
  File "/Library/Python/2.7/site-packages/boto/connection.py", line 974, in make_request
    return self._mexe(http_request)
  File "/Library/Python/2.7/site-packages/boto/connection.py", line 880, in _mexe
    raise e
boto.https_connection.InvalidCertificateException: Host elasticmapreduce.us-west-1.amazonaws.com returned an invalid certificate (remote hostname "elasticmapreduce.us-west-1.amazonaws.com" does not match certificate): {'notAfter': 'Oct  7 23:59:59 2013 GMT', 'subject': ((('countryName', u'US'),), (('stateOrProvinceName', u'Washington'),), (('localityName', u'Seattle'),), (('organizationName', u'Amazon.com Inc.'),), (('commonName', u'us-west-1.elasticmapreduce.amazonaws.com'),))}
make: *** [emr] Error 1

We eventually figured out that the mapping from our declared "aws_region" in our .mrjob.conf file was being mapped to elasticmapreduce.us-west-1.amazonaws.com, while the certificate was declaring itself us-west-1.elasticmapreduce.amazonaws.com. This mapping is made at:
https://github.com/Yelp/mrjob/blob/master/mrjob/emr.py#L127

We changed this line to read:

    'us-west-1': 'us-west-1.elasticmapreduce.amazonaws.com',

and magically, our jobs are running. I do not know why this is happening, if Amazon has changed their certificates or domain management.
@coyotemarin coyotemarin mentioned this issue Jul 3, 2013
Closed
coyotemarin pushed a commit to coyotemarin/mrjob that referenced this issue Aug 2, 2013
we now infer region endpoints (fixes Yelp#658, Yelp#621)
52afcfd 
factored a lot of AWS administrivia out of emr.py into aws.py
This was referenced Aug 24, 2013
Merged
Closed
@coyotemarin
Copy link
Collaborator

Fixed by #705 (though we're going to fix it even better with #706).

coyotemarin pushed a commit to coyotemarin/mrjob that referenced this issue Aug 28, 2013
use raw api for visible_to_all_users (fixes Yelp#621)
b4e7c4d
@coyotemarin
Copy link
Collaborator

Based on a loose reading of this thread, this is an issue that happens on Python 2.6 but not Python 2.7. I've been able to duplicate this bug with boto 2.11.0 on Python 2.6.7 but not Python 2.7.5.

It looks like the boto version doesn't really matter. The "magic" happens in boto.https_connection.GetValidHostsForCert which reads the `subjectAltName' and 'subject' fields on the certificate; this code hasn't significantly changed since it was added in April 2011 (mrjob requires boto 2.2.0 which was released in Jan 2012). I'm guessing the SSL library on Python 2.6 just doesn't know how to access those fields.

The simple solution would be to just pass validate_certs=False to the EmrConnection constructor when we're on Python 2.6 But that keyword option isn't available until boto 2.5.2. It's also a bit of a blunt instrument; we'd really rather do some SSL validation.

So it sounds like further wrapping the EMR connection is the way to go. sigh At least I'm halfway done coding it. :)

@coyotemarin coyotemarin mentioned this issue Aug 30, 2013
Merged
scottknight added a commit to timtadh/mrjob that referenced this issue Oct 10, 2013
@scottknight
Merge tag 'tags/v0.4.1' into features/update_mobile_defense_production
b550f23 
secondary sort and self-terminating job flows
 * jobs:
   * SORT_VALUES: Secondary sort by value (Yelp#240)
     * see mrjob/examples/
   * can now override jobconf() again (Yelp#656)
   * renamed mrjob.compat.get_jobconf_value() to jobconf_from_env()
   * examples:
     * bash_wrap/ (mapper/reducer_cmd() example)
     * mr_most_used_word.py (two step job)
     * mr_next_word_stats.py (SORT_VALUES example)
 * runners:
   * All runners:
     * single --setup option works but is not yet documented (Yelp#206)
     * setup now uses sh rather than python internally
   * EMR runner:
     * max_hours_idle: self-terminating idle job flows (Yelp#628)
       * mins_to_end_of_hour option gives finer control over self-termination.
     * Can reuse pooled job flows where previous job failed (Yelp#633)
     * Throws IOError if output path already exists (Yelp#634)
     * Gracefully handles SSL cert issues (Yelp#621, Yelp#706)
     * Automatically infers EMR/S3 endpoints from region (Yelp#658)
     * ls() supports s3n:// schema (Yelp#672)
     * Fixed log parsing crash on JarSteps (Yelp#645)
     * visible_to_all_users works with boto <2.8.0 (Yelp#701)
     * must use --interpreter with non-Python scripts (Yelp#683)
     * cat() can decompress gzipped data (Yelp#601)
   * Hadoop runner:
     * check_input_paths: can disable input path checking (Yelp#583)
     * cat() can decompress gzipped data (Yelp#601)
   * Inline/Local runners:
     * Fixed counter parsing for multi-step jobs in inline mode
     * Supports per-step jobconf (Yelp#616)
 * Documentation revamp
 * mrjob.parse.urlparse() works consistently across Python versions (Yelp#686)
 * deprecated:
   * many constants in mrjob.emr replaced with functions in mrjob.aws
 * removed deprecated features:
   * old conf locations (~/.mrjob and in PYTHONPATH) (Yelp#747)
   * built-in protocols must be instances (Yelp#488)
@coyotemarin coyotemarin mentioned this issue Feb 11, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
v0.4.1
Development

No branches or pull requests
2 participants
@coyotemarin @ocrickard