New Contributor
Posts: 5
Registered: ‎04-20-2017
Accepted Solution

Configuring Hue SSL to connect to Hive with Kerberos



I try to configure Hue to be able to make some Hive Query. I have setup Kerberos on my cluster. But I get a strange message when I connect on Hue inside the Hive query editor :


Certificate error with remote host: hostname 'xxxx30.server.lan' doesn't match u'xxxx29.server.lan'



It's strange because inside Cloudera Manager I didn't have setup this node xxxx29 anyware.


xxxx30.server.lan is my appnode and it has an HAproxy that should distribute the Hive query to 2 nodes : xxxx31 and xxxx32.


I am able to do some beeline request, but I can't from hue.


So have you an idea or a clue please ?






Posts: 398
Topics: 1
Kudos: 91
Solutions: 51
Registered: ‎04-22-2014

Re: Configuring Hue SSL to connect to Hive with Kerberos

Hi @AntoineH,


The error means that Hue connected to xxxx30.server.lan but the certificate that was returned had a subject CN or Subject Alternative Name that did not match.  In fact, the certificate said it was for xxxx29.server.lan.


It is common for TLS clients to check that the hostname in the server certificate matches the hostname of the host to which they are connecting to help validate that they are connecting to the correct server.


You have 2 options to correct this situation:



Recommended:  Install a correct certificate on xxxx30.server.lan that has a Subject Alternative Name or subject CN value that matches the hostname.



If you accept the security risk, you can disable Hue's peer certificate checks (also disables certificate signer trust validation), you can set the following in Hue's configuration:









New Contributor
Posts: 5
Registered: ‎04-20-2017

Re: Configuring Hue SSL to connect to Hive with Kerberos



Thank you. Ok, so in fact after checking, it was 2 problems :


- First a missconfiguration. We have seted cm.keystore (that contains all the public keys) so it was geting the first servers. And it was not the good one.

- So after seting the key.keystore it was answering the good server, but now we have to generate a VIP certificate so all 3 servers will answers the VIP rather than one specific server.


thank you for your help ! :)