Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Configuring Hue SSL to connect to Hive with Kerberos

avatar
author-rank AntoineH
Explorer

Created on ‎05-15-2017 07:54 AM - edited ‎09-16-2022 04:36 AM

Hello,

 

I try to configure Hue to be able to make some Hive Query. I have setup Kerberos on my cluster. But I get a strange message when I connect on Hue inside the Hive query editor :

 

Certificate error with remote host: hostname 'xxxx30.server.lan' doesn't match u'xxxx29.server.lan'

 

 

It's strange because inside Cloudera Manager I didn't have setup this node xxxx29 anyware.

 

xxxx30.server.lan is my appnode and it has an HAproxy that should distribute the Hive query to 2 nodes : xxxx31 and xxxx32.

 

I am able to do some beeline request, but I can't from hue.

 

So have you an idea or a clue please ?

 

regards,

 

A.

 

5,413 Views
1
1 ACCEPTED SOLUTION

avatar
author-rank bgooley author-rank
Master Guru

Created ‎05-15-2017 10:33 AM

Hi @AntoineH,

 

The error means that Hue connected to xxxx30.server.lan but the certificate that was returned had a subject CN or Subject Alternative Name that did not match.  In fact, the certificate said it was for xxxx29.server.lan.

 

It is common for TLS clients to check that the hostname in the server certificate matches the hostname of the host to which they are connecting to help validate that they are connecting to the correct server.

 

You have 2 options to correct this situation:

 

(1)

Recommended:  Install a correct certificate on xxxx30.server.lan that has a Subject Alternative Name or subject CN value that matches the hostname.

 

(2)

If you accept the security risk, you can disable Hue's peer certificate checks (also disables certificate signer trust validation), you can set the following in Hue's configuration:

 

[beeswax]

[[ssl]]

validate=false

 

Regards,

 

Ben

View solution in original post

5,325 Views
0 Kudos
3 REPLIES 3

avatar
author-rank bgooley author-rank
Master Guru

Created ‎05-15-2017 10:33 AM

Hi @AntoineH,

 

The error means that Hue connected to xxxx30.server.lan but the certificate that was returned had a subject CN or Subject Alternative Name that did not match.  In fact, the certificate said it was for xxxx29.server.lan.

 

It is common for TLS clients to check that the hostname in the server certificate matches the hostname of the host to which they are connecting to help validate that they are connecting to the correct server.

 

You have 2 options to correct this situation:

 

(1)

Recommended:  Install a correct certificate on xxxx30.server.lan that has a Subject Alternative Name or subject CN value that matches the hostname.

 

(2)

If you accept the security risk, you can disable Hue's peer certificate checks (also disables certificate signer trust validation), you can set the following in Hue's configuration:

 

[beeswax]

[[ssl]]

validate=false

 

Regards,

 

Ben

5,326 Views
0 Kudos

avatar
author-rank AntoineH
Explorer

Created ‎05-16-2017 03:01 AM

Hello,

 

Thank you. Ok, so in fact after checking, it was 2 problems :

 

- First a missconfiguration. We have seted cm.keystore (that contains all the public keys) so it was geting the first servers. And it was not the good one.

- So after seting the key.keystore it was answering the good server, but now we have to generate a VIP certificate so all 3 servers will answers the VIP rather than one specific server.

 

thank you for your help ! 🙂

 

Regards,

 

A.

5,293 Views
0 Kudos

avatar
author-rank PabloAN
New Contributor

Created on ‎10-10-2017 05:35 AM - edited ‎10-10-2017 05:36 AM

Hello Antoine,

 

We have the same problem and we can't solve it.

 

Where did you lack configuration? In Cloudera Manager (Hive or Hue?) Or HAProxy?

 

Thanks for your help!!!

 

P.

4,791 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements