Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Getting Error while configuring Hue with SSL - enable HTTPS using a certified enterprise/domain certificate

Getting Error while configuring Hue with SSL - enable HTTPS using a certified enterprise/domain certificate

Contributor

Hello,

I have followed the document for configuring HTTPS for Hue.

the ssl_certificate=/path to enterprise certificate

ssl_private_key= /path to *host* key.

In the error log we have error complaining about :

SSL routines: SSL3_WRITE_BYTES: Hand Shake Failure.

this is related to OpenSSL Error Alert 40.

1) Can Hue work with enterprise/domain certificate or expects certificate specific for the host it is hosted on ?

2) The above alert also speaks of expecting a client certificate. My understanding is it is no client certificate will be used here.

Need insights on the above areas to proceed further.

Note: All other services have valid jks and are configured successfully to use https.

Regards,

Sundar

4 REPLIES 4

Re: Getting Error while configuring Hue with SSL - enable HTTPS using a certified enterprise/domain certificate

Hi @Sundara Palanki

What version of HDP are you running - and what version of Hue are you running?

What are you using Hue for? Have you tried the Hive View in Ambari?

Re: Getting Error while configuring Hue with SSL - enable HTTPS using a certified enterprise/domain certificate

Expert Contributor

Hi @Sundara Palanki

Hue uses PEM formatted certificate and private key. I have used host specific and also wildcard certificates and all worked.

Check using the following commands your certificates:

openssl rsa -in private.key -check

openssl x509 -in certificate.crt -text -noout

Not sure what you meant by "/path to *host* key", this is the private key corresponding to your certificate.

If you have a working JKS, the private key and certificate can be extracted from the keystore by converting into an intermediate P12 format:

keytool -importkeystore -srckeystore /etc/security/serverKeys/keystore.jks -destkeystore /tmp/keystore.p12 -deststoretype PKCS12 -srcalias <keystore_alias> -deststorepass temporarypass -destkeypass temporarypass

openssl pkcs12 -in /tmp/keystore.p12 -nokeys -out /etc/hue/conf/certificate.crt -passin pass:temporarypass

openssl pkcs12 -in /tmp/keystore.p12 -nodes -nocerts -out /etc/hue/conf/private.key -passin pass:temporarypass

chown hue:hadoop /etc/hue/conf/certificate.crt /etc/hue/conf/private.key

chmod 440 /etc/hue/conf/certificate.crt

chmod 400 /etc/hue/conf/private.key

rm -f /tmp/keystore.p12

Re: Getting Error while configuring Hue with SSL - enable HTTPS using a certified enterprise/domain certificate

Contributor

@Alexandru Anghel. Thanks for the information. I see that Hue is working fine with SHA1 certificate where the certificate has been generated per node basis. i.e I have a .cer file for the host and host private key.

However, the latest SHA 2 certificate is has only the public key. When I try to generate a .p12 file throws an error stating the trusted certificate is not password protected.

I have tried out ssl_password attribute. However it is not getting picked up (source: runcpserver.out). I think the issue might be because of the support for this attribute ssl_password in Hue 2.6.1 (shipped by HDP).

Highlighted

Re: Getting Error while configuring Hue with SSL - enable HTTPS using a certified enterprise/domain certificate

Expert Contributor

You still need to have a new private key with the new certificate, SHA-2 just changes the hashing algorithm.

The ssl_password attribute is only used if you have a private key protected by a password. I'm not aware if there is an issue with Hue 2.6.1 but you shouldn't need that ssl_password anyway.

First find your private key, otherwise it won't work without it. It should have been packaged when you downloaded or got the new certificate.

Then test the private key with the following command:

openssl rsa -in private.key -check

If it asks for a password (pass phrase) then you can remove the password by running this:

openssl rsa -in private.key -out private-no-pass.key

And use the new .key file for Hue.