I have followed the document for configuring HTTPS for Hue.
the ssl_certificate=/path to enterprise certificate
ssl_private_key= /path to *host* key.
In the error log we have error complaining about :
SSL routines: SSL3_WRITE_BYTES: Hand Shake Failure.
this is related to OpenSSL Error Alert 40.
1) Can Hue work with enterprise/domain certificate or expects certificate specific for the host it is hosted on ?
2) The above alert also speaks of expecting a client certificate. My understanding is it is no client certificate will be used here.
Need insights on the above areas to proceed further.
Note: All other services have valid jks and are configured successfully to use https.
Hue uses PEM formatted certificate and private key. I have used host specific and also wildcard certificates and all worked.
Check using the following commands your certificates:
openssl rsa -in private.key -check openssl x509 -in certificate.crt -text -noout
Not sure what you meant by "/path to *host* key", this is the private key corresponding to your certificate.
If you have a working JKS, the private key and certificate can be extracted from the keystore by converting into an intermediate P12 format:
keytool -importkeystore -srckeystore /etc/security/serverKeys/keystore.jks -destkeystore /tmp/keystore.p12 -deststoretype PKCS12 -srcalias <keystore_alias> -deststorepass temporarypass -destkeypass temporarypass openssl pkcs12 -in /tmp/keystore.p12 -nokeys -out /etc/hue/conf/certificate.crt -passin pass:temporarypass openssl pkcs12 -in /tmp/keystore.p12 -nodes -nocerts -out /etc/hue/conf/private.key -passin pass:temporarypass chown hue:hadoop /etc/hue/conf/certificate.crt /etc/hue/conf/private.key chmod 440 /etc/hue/conf/certificate.crt chmod 400 /etc/hue/conf/private.key rm -f /tmp/keystore.p12
@Alexandru Anghel. Thanks for the information. I see that Hue is working fine with SHA1 certificate where the certificate has been generated per node basis. i.e I have a .cer file for the host and host private key.
However, the latest SHA 2 certificate is has only the public key. When I try to generate a .p12 file throws an error stating the trusted certificate is not password protected.
I have tried out ssl_password attribute. However it is not getting picked up (source: runcpserver.out). I think the issue might be because of the support for this attribute ssl_password in Hue 2.6.1 (shipped by HDP).
You still need to have a new private key with the new certificate, SHA-2 just changes the hashing algorithm.
The ssl_password attribute is only used if you have a private key protected by a password. I'm not aware if there is an issue with Hue 2.6.1 but you shouldn't need that ssl_password anyway.
First find your private key, otherwise it won't work without it. It should have been packaged when you downloaded or got the new certificate.
Then test the private key with the following command:
openssl rsa -in private.key -check
If it asks for a password (pass phrase) then you can remove the password by running this:
openssl rsa -in private.key -out private-no-pass.key
And use the new .key file for Hue.