Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Configuring Hue SSL to connect to Hive with Kerberos

Solved Go to solution
Highlighted

Configuring Hue SSL to connect to Hive with Kerberos

New Contributor

Hello,

 

I try to configure Hue to be able to make some Hive Query. I have setup Kerberos on my cluster. But I get a strange message when I connect on Hue inside the Hive query editor :

 

Certificate error with remote host: hostname 'xxxx30.server.lan' doesn't match u'xxxx29.server.lan'

 

 

It's strange because inside Cloudera Manager I didn't have setup this node xxxx29 anyware.

 

xxxx30.server.lan is my appnode and it has an HAproxy that should distribute the Hive query to 2 nodes : xxxx31 and xxxx32.

 

I am able to do some beeline request, but I can't from hue.

 

So have you an idea or a clue please ?

 

regards,

 

A.

 

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Configuring Hue SSL to connect to Hive with Kerberos

Super Guru

Hi @AntoineH,

 

The error means that Hue connected to xxxx30.server.lan but the certificate that was returned had a subject CN or Subject Alternative Name that did not match.  In fact, the certificate said it was for xxxx29.server.lan.

 

It is common for TLS clients to check that the hostname in the server certificate matches the hostname of the host to which they are connecting to help validate that they are connecting to the correct server.

 

You have 2 options to correct this situation:

 

(1)

Recommended:  Install a correct certificate on xxxx30.server.lan that has a Subject Alternative Name or subject CN value that matches the hostname.

 

(2)

If you accept the security risk, you can disable Hue's peer certificate checks (also disables certificate signer trust validation), you can set the following in Hue's configuration:

 

[beeswax]

[[ssl]]

validate=false

 

Regards,

 

Ben

3 REPLIES 3

Re: Configuring Hue SSL to connect to Hive with Kerberos

Super Guru

Hi @AntoineH,

 

The error means that Hue connected to xxxx30.server.lan but the certificate that was returned had a subject CN or Subject Alternative Name that did not match.  In fact, the certificate said it was for xxxx29.server.lan.

 

It is common for TLS clients to check that the hostname in the server certificate matches the hostname of the host to which they are connecting to help validate that they are connecting to the correct server.

 

You have 2 options to correct this situation:

 

(1)

Recommended:  Install a correct certificate on xxxx30.server.lan that has a Subject Alternative Name or subject CN value that matches the hostname.

 

(2)

If you accept the security risk, you can disable Hue's peer certificate checks (also disables certificate signer trust validation), you can set the following in Hue's configuration:

 

[beeswax]

[[ssl]]

validate=false

 

Regards,

 

Ben

Re: Configuring Hue SSL to connect to Hive with Kerberos

New Contributor

Hello,

 

Thank you. Ok, so in fact after checking, it was 2 problems :

 

- First a missconfiguration. We have seted cm.keystore (that contains all the public keys) so it was geting the first servers. And it was not the good one.

- So after seting the key.keystore it was answering the good server, but now we have to generate a VIP certificate so all 3 servers will answers the VIP rather than one specific server.

 

thank you for your help ! :)

 

Regards,

 

A.

Re: Configuring Hue SSL to connect to Hive with Kerberos

New Contributor

Hello Antoine,

 

We have the same problem and we can't solve it.

 

Where did you lack configuration? In Cloudera Manager (Hive or Hue?) Or HAProxy?

 

Thanks for your help!!!

 

P.

Don't have an account?
Coming from Hortonworks? Activate your account here