Support Questions

Find answers, ask questions, and share your expertise

Hue RestException: bad handshake - certificate verify failed

avatar
Contributor

Could anyone please let me know , how could i resolve the below error

 

[23/Apr/2018 11:10:05 -0700] conf ERROR failed to get oozie status
Traceback (most recent call last):
File "/opt/cloudera/parcels/CDH-5.8.2-1.cdh5.8.2.p0.3/lib/hue/desktop/libs/liboozie/src/liboozie/conf.py", line 61, in get_oozie_status
status = str(get_oozie(user).get_oozie_status())
File "/opt/cloudera/parcels/CDH-5.8.2-1.cdh5.8.2.p0.3/lib/hue/desktop/libs/liboozie/src/liboozie/oozie_api.py", line 325, in get_oozie_status
resp = self._root.get('admin/status', params)
File "/opt/cloudera/parcels/CDH-5.8.2-1.cdh5.8.2.p0.3/lib/hue/desktop/core/src/desktop/lib/rest/resource.py", line 98, in get
return self.invoke("GET", relpath, params, headers=headers, allow_redirects=True)
File "/opt/cloudera/parcels/CDH-5.8.2-1.cdh5.8.2.p0.3/lib/hue/desktop/core/src/desktop/lib/rest/resource.py", line 79, in invoke
urlencode=self._urlencode)
File "/opt/cloudera/parcels/CDH-5.8.2-1.cdh5.8.2.p0.3/lib/hue/desktop/core/src/desktop/lib/rest/http_client.py", line 170, in execute
raise self._exc_class(ex)
RestException: bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)

7 REPLIES 7

avatar

did you get this issue resolved? I am having the same problem too

avatar
Contributor
Hi @BiggieSmalls

Yes , i did happen to got the issue resolved , it's been quite an while ago , let me get back to you on monday

avatar

Sure. That would help. thanks

avatar
Guru

Hi @BiggieSmalls ,

 

The error message:

Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)

usually means Hue is not setup with the certificate correctly.

 

Can you please follow this documentation to set up the Hue certificate and see if that helps?

https://www.cloudera.com/documentation/enterprise/6/latest/topics/cm_sg_ssl_hue.html#concept_vnj_lmd...

 

Thanks,

Li

Li Wang, Technical Solution Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

Terms of Service

Community Guidelines

How to use the forum

avatar
Master Guru

@BiggieSmalls,

 

Just to be sure, it would be good to share the stack trace from your incident to be sure it is exactly the same.

In the original post, the stack trace that Hue is attempting to issue a GET REST API call to Oozie to get its status.  When attempting a connection, the client (Hue) decides it cannot verify the server certificate that is presented by the Oozie Server.

 

By default, Hue will attempt to verify the certificate returned by the server to which it is trying to connect.  It looks to see if it trusts the signer, the hostname to which the connection was made is included in the certificate among other things.

 

In order to know what to suggest exactly in terms of determining the cause of the problem, we need to see the stack trace you are seeing that led you to determine you are seeing the same issue in the original post.

 

Thanks,

 

Ben

avatar

@bgooley  @lwang Do I have to follow the document to create hue store, when I already have a PEM file in place on the server.

I have given my Hue configuration in ClouderaManager as follows :

Hue TLS/SSL Server Certificate File (PEM Format)

 ssl_certifcate : Server.PEM

Hue TLS/SSL Server Private Key File (PEM Format) : Server.PEM
ssl_private_key

 

PEM file is valid for the server on which hue service is enabled and hue server is running on it.

 

This is what my hue error log shows :

[11/Jul/2019 11:19:28 -0700] wsgiserver ERROR SSL key and certificate could not be found or have a problem
Traceback (most recent call last):
File "/opt/cloudera/parcels/CDH-5.14.4-1.cdh5.14.4.p0.3/lib/hue/desktop/core/src/desktop/lib/wsgiserver.py", line 1701, in _bind
ctx.use_privatekey_file(self.ssl_private_key)
Error: [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]
[11/Jul/2019 11:19:48 -0700] wsgiserver ERROR SSL key and certificate could not be found or have a problem
Traceback (most recent call last):
File "/opt/cloudera/parcels/CDH-5.14.4-1.cdh5.14.4.p0.3/lib/hue/desktop/core/src/desktop/lib/wsgiserver.py", line 1701, in _bind
ctx.use_privatekey_file(self.ssl_private_key)
Error: [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]
[11/Jul/2019 11:20:11 -0700] wsgiserver ERROR SSL key and certificate could not be found or have a problem
Traceback (most recent call last):
File "/opt/cloudera/parcels/CDH-5.14.4-1.cdh5.14.4.p0.3/lib/hue/desktop/core/src/desktop/lib/wsgiserver.py", line 1701, in _bind
ctx.use_privatekey_file(self.ssl_private_key)
Error: [('PEM routines', 'PEM_read_bio', 'no start line'

 

 

Any idea why it shows this certificate error?

avatar
Master Guru

@BiggieSmalls,

 

The error you show indicates that the certificate and key files specified for Hue are not in the expected PEM format.

 

The key needs to have the key stored in base64 between:

-----BEGIN ENCRYPTED PRIVATE KEY-----

-----END ENCRYPTED PRIVATE KEY-----

 

The certificate file needs to have the certificate in base64 between:

 

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

 

The "no start line" error from openssl libraries is explaining that it cannot find any BEGIN line

 

make sure your ssl_certificate and ssl_private_key files contain the above text.