Support Questions

Isegrim · ‎08-12-2016

Hi,

I've tried to implement https for Hue web interface, but it works only in one half.

Hue don't sends my Sub CA cert included in 'ssl_cacerts' setting.

My certs chierarchy is as follows:

hue.my.domain.com - Signed by MySubCA - this is sent properly by Hue

MySubCA - Signed by MyCorporateCA - this is not being send by Hue

MyCorporateCA - Trusted cert, included in every corporate station. - this does not need to be sent by Hue

MySubCA I was including in hue.my.domain.cert (once at the beginning of PEM file, once at the end) - it did not work - only hue.my.domain.com cert was sent or error was raised.

Then I've left only my.domain.com cert in this PEM file and inserted MySubCA cert into another PEM file and placed it's path in CM HueServer Configuration (Security) in ssl_cacerts parameter. But this also didn't help.

How to make ssl_cacerts Hue configuration parameter to be respected by Hue?

Best Regards

Isegrim · ‎09-01-2016

Together with my collegue we've manage to solve the problem.

After diging Hue sources he has discovered undocumented option for ssl cert chains:

ssl_certificate_chain

We have edited "Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini" of Hue configuration in CM and added:

[desktop]
ssl_certificate_chain=/path/to/certs/myDomainCert.IntermediateCert.pem

The certificate chain MUST have at the top of pem file hue.my.domain.com cert and after this MySubCA, despite proper set of

ssl_certificate=/path/to/certs/myDomainCert.pem

ssl_private_key=/path/to/certs/myDomainCert.key

https://www.digicert.com/ssl-support/pem-ssl-creation.htm

I did not put there MyCorporateCA because it is already in every corporate computer and browser properly read it.

View solution in original post

Isegrim · ‎09-01-2016

Does anyone know where is error log for runcherryPy server for Hue in CDH 5.7 ?
in CDH 5.6 and earlier it was in runchserver.out and from CDH 5.7 it is gone 😕
I see some errors there regarding this ssl issue, but in earlier CDH then I have now.

Isegrim · ‎09-01-2016

Together with my collegue we've manage to solve the problem.

After diging Hue sources he has discovered undocumented option for ssl cert chains:

ssl_certificate_chain

We have edited "Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini" of Hue configuration in CM and added:

[desktop]
ssl_certificate_chain=/path/to/certs/myDomainCert.IntermediateCert.pem

The certificate chain MUST have at the top of pem file hue.my.domain.com cert and after this MySubCA, despite proper set of

ssl_certificate=/path/to/certs/myDomainCert.pem

ssl_private_key=/path/to/certs/myDomainCert.key

https://www.digicert.com/ssl-support/pem-ssl-creation.htm

I did not put there MyCorporateCA because it is already in every corporate computer and browser properly read it.

Stefanhu · ‎02-26-2018

I found this very helpful post during my task to enable TLS with our corporate CA and had the same problem.

To make it a little more complicated, we have the Hue Load Balancer enabled additional to the normal Hue server.

With the load balancer, an apache webserver is put in front of the cherrypi webserver.

So the configuration for the intermediate certificate has to be put in the httpd.conf of the loadbalancers apache.

This can be done with Cloudera Manager with the

Load Balancer Advanced Configuration Snippet (Safety Valve) for httpd.conf entry of the Hue load balancer configuration.

Just add the following line:

SSLCertificateChainFile /path/to/intermediate.crt

It will be added right next to the SSL certificate configuration that could be done via the normal configuraiton fields of the load balancer.

As with in Isegrims post, the certificate must follow the rules for a PEM file, in fact, the same file can be used by both webservers.

Cloudera Community

Support Questions

Hue don't sends intermediate certificates during https session