Support Questions

Find answers, ask questions, and share your expertise
Welcome to the upgraded Community! Read this blog to see What’s New!

Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'SSL23_GET_SERVER_HELLO', 'sslv3

New Contributor

Hi everyone,

this is my first post in Cloudera Community.
I am trying to enable HBase browser in HUE and I have a Kerberized Cloudera environment.

I am following the steps from this link:


There're several steps I am not clear and kind of confusing:

1- In Kerberized environment, do we need to enable Enable TLS/SSL for the HBase Thrift Server?


2-If yes for no.1, what will be the Keystore File Location, Keystore File Password and Keystore Key Password? Are those the file from /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks?
I am using auto TLS during Cloudera 6 installation


3. I found that some previous post stated that we no need to edit the hue-safety.ini through later Cloudera Manager, but still the latest documentation still state that we should edit them. (For this I just ask due to curiosity, I am not sure is this part of root cause which cause me fail to access HBase table via HUE)


Before I follow the link, the error message: tsocket read 0 bytes will prompt if I try to access HBase through HUE. 

After I follow the steps from the link. The error message is gone but the new one come out: Api Error: HTTPSConnectionPool(host=HOSTNAME, port=9090): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'SSL23_GET_SERVER_HELLO', 'sslv3 alert handshake failure')],)",),))


I've tried find answers for few days but still haven't found any working solution.


By the way, thanks for those who take time to read my post.




Hi @ylchew93,
Do you solve this issue? I have the same problem after enabled Kerberos in my cluster.


@Guarupe @ylchew93 Please follow the below doc and see if anything is missing while SSL implementation on Hue.

This issue occurs if the certificates presented by the YARN Resource Managers are not included in Hue's Truststore.

When Hue acts as a TLS/ SSL client while communicating with services like YARN and Oozie, it requires the server certificates of these daemons in its Truststore. The Truststore helps the Hue service to authenticate certificates installed on these TLS-enabled servers.



Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.