Hue configured with External Authentication to LDAP fails on login | Peer's Certificate issuer is not recognized

0 votes
15 views
asked Aug 28, 2017 in Hadoop by admin (4,410 points)
Summary

Applies To
Symptoms

When Hue is configured for External Authentication to LDAP with TLS enabled, attempts to login to the Hue console results in this error in the runcpserver.log,

TLS error -8179:Peer's Certificate issuer is not recognized

Cause

Hue is using external authentication to LDAP with TLS enabled, however the Truststore does not have a valid Root CA Certificate to validate the Server Certificate presented by the LDAP Server.

Some deployments may notice that the same Truststore works on CDH 5.5, but not on CDH 5.8, even though all configurations match and point to the same LDAP Server with TLS enabled.  The reason for this is that there was a change in the underlying LDAP libraries that Hue uses from CDH 5.5 to CDH 5.8.  In 5.5 the LDAP libraries were not honoring the configuration of "/etc/openldap/ldap.conf" and allowing access even if the certificates couldn't be validated. On 5.8, the libraries adhere to the rules of the ldap.conf. The default ldap.conf on CentOS/Redhat requires that the cert can be validated.

Instructions

Obtain the Root CA certificate that signed the Server Certificate on the LDAP Server so that validation works.

Please log in or register to answer this question.

...