Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Hue don't sends intermediate certificates during https session

Solved Go to solution

Hue don't sends intermediate certificates during https session

Contributor

Hi,

 

I've tried to implement https for Hue web interface, but it works only in one half.

Hue don't sends my Sub CA cert included in 'ssl_cacerts' setting.

My certs chierarchy is as follows:

hue.my.domain.com - Signed by MySubCA - this is sent properly by Hue

MySubCA - Signed by MyCorporateCA - this is not being send by Hue

MyCorporateCA - Trusted cert, included in every corporate station. - this does not need to be sent by Hue

 

MySubCA I was including in hue.my.domain.cert (once at the beginning of PEM file, once at the end) - it did not work - only hue.my.domain.com cert was sent or error was raised.

Then I've left only my.domain.com cert in this PEM file and inserted MySubCA cert into another PEM file and placed it's path in CM HueServer Configuration (Security) in ssl_cacerts parameter. But this also didn't help.

 

How to make ssl_cacerts Hue configuration parameter to be respected by Hue?

 

Best Regards

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Hue don't sends intermediate certificates during https session

Contributor

Together with my collegue we've manage to solve the problem.

After diging Hue sources he has discovered undocumented option for ssl cert chains:

ssl_certificate_chain

 

We have edited "Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini" of Hue configuration in CM and added:

[desktop]
ssl_certificate_chain=/path/to/certs/myDomainCert.IntermediateCert.pem

 

The certificate chain MUST have at the top of pem file hue.my.domain.com cert and after this MySubCA, despite proper set of

ssl_certificate=/path/to/certs/myDomainCert.pem

ssl_private_key=/path/to/certs/myDomainCert.key

 

https://www.digicert.com/ssl-support/pem-ssl-creation.htm

 

 

I did not put there MyCorporateCA  because it is already in every corporate computer and browser properly read it.

 

 

3 REPLIES 3

Re: Hue don't sends intermediate certificates during https session

Contributor

Does anyone know where is error log for runcherryPy server for Hue in CDH 5.7 ?
in CDH 5.6 and earlier it was in runchserver.out and from CDH 5.7 it is gone :/
I see some errors there regarding this ssl issue, but in earlier CDH then I have now.

Re: Hue don't sends intermediate certificates during https session

Contributor

Together with my collegue we've manage to solve the problem.

After diging Hue sources he has discovered undocumented option for ssl cert chains:

ssl_certificate_chain

 

We have edited "Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini" of Hue configuration in CM and added:

[desktop]
ssl_certificate_chain=/path/to/certs/myDomainCert.IntermediateCert.pem

 

The certificate chain MUST have at the top of pem file hue.my.domain.com cert and after this MySubCA, despite proper set of

ssl_certificate=/path/to/certs/myDomainCert.pem

ssl_private_key=/path/to/certs/myDomainCert.key

 

https://www.digicert.com/ssl-support/pem-ssl-creation.htm

 

 

I did not put there MyCorporateCA  because it is already in every corporate computer and browser properly read it.

 

 

Highlighted

Re: Hue don't sends intermediate certificates during https session

New Contributor

I found this very helpful post during my task to enable TLS with our corporate CA and had the same problem.

To make it a little more complicated, we have the Hue Load Balancer enabled additional to the normal Hue server.

With the load balancer, an apache webserver is put in front of the cherrypi webserver.

So the configuration for the intermediate certificate has to be put in the httpd.conf of the loadbalancers apache.

 

This can be done with Cloudera Manager with the

Load Balancer Advanced Configuration Snippet (Safety Valve) for httpd.conf entry of the Hue load balancer configuration.
Just add the following line:
SSLCertificateChainFile /path/to/intermediate.crt
It will be added right next to the SSL certificate configuration that could be done via the normal configuraiton fields of the load balancer.
 
As with in Isegrims post, the certificate must follow the rules for a PEM file, in fact, the same file can be used by both webservers.