Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Configuring Hue SSL to connect to Hive with Kerberos

avatar
Explorer

Hello,

 

I try to configure Hue to be able to make some Hive Query. I have setup Kerberos on my cluster. But I get a strange message when I connect on Hue inside the Hive query editor :

 

Certificate error with remote host: hostname 'xxxx30.server.lan' doesn't match u'xxxx29.server.lan'

 

 

It's strange because inside Cloudera Manager I didn't have setup this node xxxx29 anyware.

 

xxxx30.server.lan is my appnode and it has an HAproxy that should distribute the Hive query to 2 nodes : xxxx31 and xxxx32.

 

I am able to do some beeline request, but I can't from hue.

 

So have you an idea or a clue please ?

 

regards,

 

A.

 

1 ACCEPTED SOLUTION

avatar
Master Guru

Hi @AntoineH,

 

The error means that Hue connected to xxxx30.server.lan but the certificate that was returned had a subject CN or Subject Alternative Name that did not match.  In fact, the certificate said it was for xxxx29.server.lan.

 

It is common for TLS clients to check that the hostname in the server certificate matches the hostname of the host to which they are connecting to help validate that they are connecting to the correct server.

 

You have 2 options to correct this situation:

 

(1)

Recommended:  Install a correct certificate on xxxx30.server.lan that has a Subject Alternative Name or subject CN value that matches the hostname.

 

(2)

If you accept the security risk, you can disable Hue's peer certificate checks (also disables certificate signer trust validation), you can set the following in Hue's configuration:

 

[beeswax]

[[ssl]]

validate=false

 

Regards,

 

Ben

View solution in original post

3 REPLIES 3

avatar
Master Guru

Hi @AntoineH,

 

The error means that Hue connected to xxxx30.server.lan but the certificate that was returned had a subject CN or Subject Alternative Name that did not match.  In fact, the certificate said it was for xxxx29.server.lan.

 

It is common for TLS clients to check that the hostname in the server certificate matches the hostname of the host to which they are connecting to help validate that they are connecting to the correct server.

 

You have 2 options to correct this situation:

 

(1)

Recommended:  Install a correct certificate on xxxx30.server.lan that has a Subject Alternative Name or subject CN value that matches the hostname.

 

(2)

If you accept the security risk, you can disable Hue's peer certificate checks (also disables certificate signer trust validation), you can set the following in Hue's configuration:

 

[beeswax]

[[ssl]]

validate=false

 

Regards,

 

Ben

avatar
Explorer

Hello,

 

Thank you. Ok, so in fact after checking, it was 2 problems :

 

- First a missconfiguration. We have seted cm.keystore (that contains all the public keys) so it was geting the first servers. And it was not the good one.

- So after seting the key.keystore it was answering the good server, but now we have to generate a VIP certificate so all 3 servers will answers the VIP rather than one specific server.

 

thank you for your help ! 🙂

 

Regards,

 

A.

avatar
New Contributor

Hello Antoine,

 

We have the same problem and we can't solve it.

 

Where did you lack configuration? In Cloudera Manager (Hive or Hue?) Or HAProxy?

 

Thanks for your help!!!

 

P.