08-12-2016 04:35 AM
I've tried to implement https for Hue web interface, but it works only in one half.
Hue don't sends my Sub CA cert included in 'ssl_cacerts' setting.
My certs chierarchy is as follows:
hue.my.domain.com - Signed by MySubCA - this is sent properly by Hue
MySubCA - Signed by MyCorporateCA - this is not being send by Hue
MyCorporateCA - Trusted cert, included in every corporate station. - this does not need to be sent by Hue
MySubCA I was including in hue.my.domain.cert (once at the beginning of PEM file, once at the end) - it did not work - only hue.my.domain.com cert was sent or error was raised.
Then I've left only my.domain.com cert in this PEM file and inserted MySubCA cert into another PEM file and placed it's path in CM HueServer Configuration (Security) in ssl_cacerts parameter. But this also didn't help.
How to make ssl_cacerts Hue configuration parameter to be respected by Hue?
09-01-2016 03:03 AM - edited 09-01-2016 03:04 AM
Does anyone know where is error log for runcherryPy server for Hue in CDH 5.7 ?
in CDH 5.6 and earlier it was in runchserver.out and from CDH 5.7 it is gone :/
I see some errors there regarding this ssl issue, but in earlier CDH then I have now.
09-01-2016 08:40 AM
Together with my collegue we've manage to solve the problem.
After diging Hue sources he has discovered undocumented option for ssl cert chains:
We have edited "Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini" of Hue configuration in CM and added:
The certificate chain MUST have at the top of pem file hue.my.domain.com cert and after this MySubCA, despite proper set of
I did not put there MyCorporateCA because it is already in every corporate computer and browser properly read it.
02-26-2018 09:03 AM
I found this very helpful post during my task to enable TLS with our corporate CA and had the same problem.
To make it a little more complicated, we have the Hue Load Balancer enabled additional to the normal Hue server.
With the load balancer, an apache webserver is put in front of the cherrypi webserver.
So the configuration for the intermediate certificate has to be put in the httpd.conf of the loadbalancers apache.
This can be done with Cloudera Manager with the
SSLCertificateChainFile /path/to/intermediate.crtIt will be added right next to the SSL certificate configuration that could be done via the normal configuraiton fields of the load balancer.