Posts: 34
Registered: ‎01-11-2016
Accepted Solution

Hue don't sends intermediate certificates during https session



I've tried to implement https for Hue web interface, but it works only in one half.

Hue don't sends my Sub CA cert included in 'ssl_cacerts' setting.

My certs chierarchy is as follows: - Signed by MySubCA - this is sent properly by Hue

MySubCA - Signed by MyCorporateCA - this is not being send by Hue

MyCorporateCA - Trusted cert, included in every corporate station. - this does not need to be sent by Hue


MySubCA I was including in (once at the beginning of PEM file, once at the end) - it did not work - only cert was sent or error was raised.

Then I've left only cert in this PEM file and inserted MySubCA cert into another PEM file and placed it's path in CM HueServer Configuration (Security) in ssl_cacerts parameter. But this also didn't help.


How to make ssl_cacerts Hue configuration parameter to be respected by Hue?


Best Regards




Posts: 34
Registered: ‎01-11-2016

Re: Hue don't sends intermediate certificates during https session

[ Edited ]

Does anyone know where is error log for runcherryPy server for Hue in CDH 5.7 ?
in CDH 5.6 and earlier it was in runchserver.out and from CDH 5.7 it is gone :/
I see some errors there regarding this ssl issue, but in earlier CDH then I have now.

Posts: 34
Registered: ‎01-11-2016

Re: Hue don't sends intermediate certificates during https session

Together with my collegue we've manage to solve the problem.

After diging Hue sources he has discovered undocumented option for ssl cert chains:



We have edited "Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini" of Hue configuration in CM and added:



The certificate chain MUST have at the top of pem file cert and after this MySubCA, despite proper set of





I did not put there MyCorporateCA  because it is already in every corporate computer and browser properly read it.



New Contributor
Posts: 4
Registered: ‎04-03-2017

Re: Hue don't sends intermediate certificates during https session

I found this very helpful post during my task to enable TLS with our corporate CA and had the same problem.

To make it a little more complicated, we have the Hue Load Balancer enabled additional to the normal Hue server.

With the load balancer, an apache webserver is put in front of the cherrypi webserver.

So the configuration for the intermediate certificate has to be put in the httpd.conf of the loadbalancers apache.


This can be done with Cloudera Manager with the

Load Balancer Advanced Configuration Snippet (Safety Valve) for httpd.conf entry of the Hue load balancer configuration.
Just add the following line:
SSLCertificateChainFile /path/to/intermediate.crt
It will be added right next to the SSL certificate configuration that could be done via the normal configuraiton fields of the load balancer.
As with in Isegrims post, the certificate must follow the rules for a PEM file, in fact, the same file can be used by both webservers.