Hue is using external authentication to LDAP with TLS enabled, however the Truststore does not have a valid Root CA Certificate to validate the Server Certificate presented by the LDAP Server.
Some deployments may notice that the same Truststore works on CDH 5.5, but not on CDH 5.8, even though all configurations match and point to the same LDAP Server with TLS enabled. The reason for this is that there was a change in the underlying LDAP libraries that Hue uses from CDH 5.5 to CDH 5.8. In 5.5 the LDAP libraries were not honoring the configuration of "/etc/openldap/ldap.conf" and allowing access even if the certificates couldn't be validated. On 5.8, the libraries adhere to the rules of the ldap.conf. The default ldap.conf on CentOS/Redhat requires that the cert can be validated.