Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Getting error after configuring HUE with SSL

Highlighted

Getting error after configuring HUE with SSL

Explorer

Hi ,

I have configured Hiveserver2 with SSL certificate(Provided by CA ) I am able to access hive from beeline(JDBC client) but Not able to acess Hive from HUE UI and getting below error

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I have checked hiveserver2 logs

HIveserver2log error : java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca

I have made below change in hue.ini file

[[SSL]]

enabled=true

# Path to Certificate Authority certificates.

cacerts=/etc/hue/privatekey.pem

# Path to the private key file.

key=/etc/hue/hue_private_keystore.pem

# Path to the public certificate file.

cert=/etc/hue/hivecetificate.pem

Note: When I configure hiveserver2 with self-signed certificate HUE works fine.

Thanks

7 REPLIES 7
Highlighted

Re: Getting error after configuring HUE with SSL

Highlighted

Re: Getting error after configuring HUE with SSL

Explorer

Thanks for Reply

I have also tried this but still got same error

REQUESTS_CA_BUNDLE=certificate

Highlighted

Re: Getting error after configuring HUE with SSL

Re: Getting error after configuring HUE with SSL

Explorer

Hi Neeraj,

Given post says PEM file carries all the necessary host certificates (and chain certificates),will you please elaborate which certificate I should provide toREQUESTS_CA_BUNDLE

below is HUE.ini file

[[ssl]]

# SSL communication enabled for this server.

enabled=true

# Path to Certificate Authority certificates.

cacerts=/opt/newkrys/privatekey.pem

# Path to the private key file.

key=/opt/newkrys/hue_private_keystore.pem

# Path to the public certificate file.

cert=/opt/newkrys/hivecertificate.pem

validate=true

REQUESTS_CA_BUNDLE=/opt/newkrys/hivecertificate.pem

Thanks,

Vishal Dhavale

Highlighted

Re: Getting error after configuring HUE with SSL

@Vishal Dhavale

Please see the official doc http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_installing_manually_book/content/configur...

(Optional) Configure Hue for SSL.

Install pyOpenSSL in order to configure Hue to serve over HTTPS. To install pyOpenSSL, from the root of your Hue installation path, complete the following instructions:

  • Run the following command on the Hue Server:

    ./build/env/bin/easy_install pyOpenSSL

  • Configure Hue to use your private key. Add the following to hue.ini file:

    ssl_certificate=$PATH_To_CERTIFICATE

    ssl_private_key=$PATH_To_KEY

    ssl_cipher_list="DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2" (default)

Note
Ideally, you should have an appropriate key signed by a Certificate Authority. For test purposes, you can create a self-signed key using the openssl command on your system:

Create a key:

openssl genrsa 1024 > host.key

Create a self-signed certificate:

openssl req -new -x509 -nodes -sha1 -key host.key > host.cert

To upload files using the Hue File Browser over HTTPS, you must have a proper SSL Certificate.

Highlighted

Re: Getting error after configuring HUE with SSL

Explorer

Thank You very much for reply ,

I have gone through this document already this document explains setting up HUE with SSL but in our case I have configured hiveserver2 with ssl and now to connect it I am confuguring HUE.

I think we can consider above option given in document when we want to configure only HUE with SSL.

Thanks,

Vishal Dhavale

Highlighted

Re: Getting error after configuring HUE with SSL

You are pointing the CA certificate to the private key of your server. You need to identify the public key of the certificate authority which issued it:

# Path to Certificate Authority certificates.

cacerts=/etc/hue/privatekey.pem

should be:

# Path to Certificate Authority certificates.

cacerts=/etc/hue/capublickey.pem

If you have trouble getting the public key of the CA, you can usually download it directly from their website or use:

$ openssl s_client -connect <yourca.com>:443 -showcerts -debug </dev/null

to extract it to the command line buffer and paste it into a local PEM file.

Don't have an account?
Coming from Hortonworks? Activate your account here