Support Questions

Find answers, ask questions, and share your expertise

Ambari Https (Broken HTTPS)

avatar
Expert Contributor

While securing Ambari Sever for Https, we can successfully login to https and default port 8443, however the https is stoked out and says This page is insecure (broken HTTPS).

We are using wildcard certs initially in .cer format however have to convert it to .pem format using openssl.

What is the preferred format and encryption for the Certs.

The current error says

1) SHA-1 Certificate The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1.

2) Certificate Error There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).

Thanks

Mayank

1 ACCEPTED SOLUTION

avatar
Expert Contributor

Figured it out, I generated a new cert and used Signature Algorithm as sha256RSA (signature hash algorithm as sha256) however the ones I had earlier were SHA1RSA and SHA1 respectively.

Seems like ShA1 is week but IE doesn't seem to care, Chrome was not happy about it.

If it's a internal ONLY cluster and you are using a local CA authority (internal or self sign) you can still live with Sha1.

You will still achieve Secure TLS connection and Secure Resources however with a warning This page is insecure (broken HTTPS).

Hope this helps and thanks community to think.

Regards Mayank

View solution in original post

5 REPLIES 5

avatar

@mkataria

Is it self signed cert? did you try adding the host into trusted sites in the browser?

You can cross check the cert creation process with below article,

https://community.hortonworks.com/articles/50405/how-to-enable-https-for-apache-ambari-using-jks.htm...

avatar
Expert Contributor

We are using a single wildcard cert provided by enterprise CA.

Thanks Mayank

avatar
Expert Contributor

Works for IE, however still broken for Chrome.

Any advices/help is appreciated.

avatar
Expert Contributor

Figured it out, I generated a new cert and used Signature Algorithm as sha256RSA (signature hash algorithm as sha256) however the ones I had earlier were SHA1RSA and SHA1 respectively.

Seems like ShA1 is week but IE doesn't seem to care, Chrome was not happy about it.

If it's a internal ONLY cluster and you are using a local CA authority (internal or self sign) you can still live with Sha1.

You will still achieve Secure TLS connection and Secure Resources however with a warning This page is insecure (broken HTTPS).

Hope this helps and thanks community to think.

Regards Mayank

avatar
Explorer

@mkataria Did you get solution ,can you share steps performed with wild card cert.