Title
Create new category
Edit page index title
Edit category
Edit link
Configure SSL for Hue Using a PKCS12 Certificate on ODP
This article explains how to enable SSL for Hue using a PKCS12 (.p12) certificate file.
Use this procedure when Hue is accessible over HTTP and you want to enable HTTPS access.
Symptoms
After enabling SSL, Hue may fail to start or HTTPS access may not work.
Common causes include:
- Incorrect certificate configuration
- Missing certificate chain
- Invalid private key permissions
- Missing SSL password configuration
Prerequisites
Ensure you have:
- A valid PKCS12 certificate file (.p12)
- The certificate password
- Access to the Hue host
Extract the Certificate Files
Extract the private key
xxxxxxxxxxopenssl pkcs12 \-in /etc/hue/ssl/hue.p12 \-nocerts -nodes \-out /etc/hue/ssl/server.keySet permissions:
xxxxxxxxxxchmod 400 /etc/hue/ssl/server.keyExtract the server certificate
xxxxxxxxxxopenssl pkcs12 \-in /etc/hue/ssl/hue.p12 \-clcerts -nokeys \-out /etc/hue/ssl/server.crtSet permissions:
xxxxxxxxxxchmod 644 /etc/hue/ssl/server.crtExtract the certificate chain
xxxxxxxxxxopenssl pkcs12 \-in /etc/hue/ssl/hue.p12 \-cacerts -nokeys -chain \-out /etc/hue/ssl/chain.pemSet permissions:
xxxxxxxxxxchmod 644 /etc/hue/ssl/chain.pemCreate the Full Certificate Chain
Combine the server certificate and certificate chain:
xxxxxxxxxxcat /etc/hue/ssl/server.crt \/etc/hue/ssl/chain.pem \> /etc/hue/ssl/fullchain.crtSet permissions:
xxxxxxxxxxchmod 644 /etc/hue/ssl/fullchain.crtConfigure Hue SSL
Update the Hue SSL settings:
xxxxxxxxxxssl_certificate={{desktop_ssl_certificate}}ssl_private_key={{desktop_ssl_private_key}}ssl_certificate_chain={{desktop_ssl_certificate_chain}}ssl_password_script={{desktop_ssl_password_script}}Configure the corresponding values in Ambari.
Set File Ownership
xxxxxxxxxxchown -R hue:hue /opt/certschmod 750 /opt/certsEnsure:
xxxxxxxxxxserver.key 400server.crt 644chain.pem 644fullchain.crt 644Verify the Certificate
Verify the private key
xxxxxxxxxxopenssl rsa -in server.key -check -nooutVerify the key matches the certificate
xxxxxxxxxxopenssl x509 -noout -modulus -in server.crt | openssl md5 openssl rsa -noout -modulus -in server.key | openssl md5Both values should match.
Verify the certificate chain
xxxxxxxxxxopenssl verify -CAfile chain.pem fullchain.crtExpected output:
xxxxxxxxxxfullchain.crt: OKConfigure the SSL Password
If the private key is password protected:
- Configure the Hue SSL password in Ambari.
- Use the same password that was used to protect the private key.
Restart Hue
Restart the Hue service from Ambari.
After the restart completes, access Hue using:
xxxxxxxxxxhttps://<hue-host>:8888Validation
Verify:
- Hue starts successfully.
- HTTPS access works.
- Browser certificate warnings are not present.
- HDFS File Browser loads successfully.
Summary
To enable SSL for Hue:
- Extract the private key, server certificate, and certificate chain from the PKCS12 file.
- Create a full certificate chain file.
- Configure the SSL properties in Hue.
- Set correct file ownership and permissions.
- Configure the SSL password if the key is encrypted.
- Restart Hue and validate HTTPS access.
This procedure resolves most SSL enablement issues for Hue deployments using PKCS12 certificates.