Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Hue don't sends intermediate certificates during https session

avatar
Rising Star

Hi,

 

I've tried to implement https for Hue web interface, but it works only in one half.

Hue don't sends my Sub CA cert included in 'ssl_cacerts' setting.

My certs chierarchy is as follows:

hue.my.domain.com - Signed by MySubCA - this is sent properly by Hue

MySubCA - Signed by MyCorporateCA - this is not being send by Hue

MyCorporateCA - Trusted cert, included in every corporate station. - this does not need to be sent by Hue

 

MySubCA I was including in hue.my.domain.cert (once at the beginning of PEM file, once at the end) - it did not work - only hue.my.domain.com cert was sent or error was raised.

Then I've left only my.domain.com cert in this PEM file and inserted MySubCA cert into another PEM file and placed it's path in CM HueServer Configuration (Security) in ssl_cacerts parameter. But this also didn't help.

 

How to make ssl_cacerts Hue configuration parameter to be respected by Hue?

 

Best Regards

 

 

 

1 ACCEPTED SOLUTION

avatar
Rising Star
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
3 REPLIES 3

avatar
Rising Star

Does anyone know where is error log for runcherryPy server for Hue in CDH 5.7 ?
in CDH 5.6 and earlier it was in runchserver.out and from CDH 5.7 it is gone 😕
I see some errors there regarding this ssl issue, but in earlier CDH then I have now.

avatar
Rising Star
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Explorer

I found this very helpful post during my task to enable TLS with our corporate CA and had the same problem.

To make it a little more complicated, we have the Hue Load Balancer enabled additional to the normal Hue server.

With the load balancer, an apache webserver is put in front of the cherrypi webserver.

So the configuration for the intermediate certificate has to be put in the httpd.conf of the loadbalancers apache.

 

This can be done with Cloudera Manager with the

Load Balancer Advanced Configuration Snippet (Safety Valve) for httpd.conf entry of the Hue load balancer configuration.
Just add the following line:
SSLCertificateChainFile /path/to/intermediate.crt
It will be added right next to the SSL certificate configuration that could be done via the normal configuraiton fields of the load balancer.
 
As with in Isegrims post, the certificate must follow the rules for a PEM file, in fact, the same file can be used by both webservers.