CDSW Fails to Start | Error: failed to parse private key

0 votes
3 views
asked Aug 19, 2017 by admin (4,410 points)
SummaryCloudera's Data Science Workbench does not support encrypted private keys. If the private key is encrypted, CDSW will fail with the following error in the cdsw init ouput: "fatal msg="Error preparing server: tls: failed to parse private key"
Symptoms
Cloudera's Data Science Workbench fails with the following error in the cdsw init output:
fatal msg="Error preparing server: tls: failed to parse private key 
Applies To
  • Cloudera's Data Science Workbench (CDSW)
Cause
Possible causes are:
  • The path to the private key is incorrect.
  • The private key is encrypted. (Note: CDSW Does not support an encrypted private key)
  • The private key is not related to the certificate public key (they do not share the same modulus).
  • The private key file does not have the correct permissions. 
Instructions
  1. Confirm the path and name of the private key file is correct by comparing the path and file name to the TLS_KEY value in the cdsw.conf configuration file. Example:
    TLS_CERT="/lib/hue/cert.pem"
    TLS_KEY="/lib/hue/private.key"
  2. View the private key to see if it is encrypted. The following example of the base64 output shows the key is encrypted.
    cat private.key
    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,11556F53E4A2824A
    • If the private key is encrypted, use the following steps to remove the encryption:
      1. Make a backup of the private key file. Example:
        mv myprivate.key myprivate.key.encrypted
      2. Remove the encryption (you will be asked to enter the private key password). Example:
        openssl rsa -in private.key.encrypted -out myprivate.key
  3. Check to see if the private key is the matching pair (of the public key in the certificate).
    1. Print and hash the private key modulus. Example:
      openssl rsa -in private.key -noout -modulus | openssl md5
      (stdin)= 7a8d72ed61bb4be3c1f59e4f0161c023
    2. Print and hash the public key modulus. Example:
      openssl x509 -in cert.pem -noout -modulus | openssl md5
      (stdin)= 7a8d72ed61bb4be3c1f59e4f0161c023
      If the md5 hash output of both keys is different, they are not related to each other, and will not work. You must revoke the old certificate, regenerate a new private key and Certificate Signing Request (CSR), and then re-apply (re-submit) for a new certificate.
  4. Set read only file permissions of the private key. Example:
    chmod 444 private.key
  5. Test the changes.

Please log in or register to answer this question.

...