Troubleshooting TLS/SSL Errors
This section describes some common issues with TLS configuration on Cloudera Data Science Workbench. Common errors include.
- Cloudera Data Science Workbench initialisation fails with an
error such
as:
Error preparing server: tls: failed to parse private key
- Your browser reports that the Cloudera Data Science Workbench web application is not secure even though you have enabled TLS settings as per Enabling TLS/SSL for Cloudera Data Science Workbench.
Possible Causes and Solutions
-
Certificate does not include the wildcard domain -
Confirm that the TLS certificate issued by your CA lists both, the
Cloudera Data Science Workbench domain, as well as a wildcard for
all first-level subdomains. For example, if your Cloudera Data
Science Workbench domain is
cdsw.company.com
, then the TLS certificate must include bothcdsw.company.com
and*.cdsw.company.com
. -
Path to the private key and/or certificate is incorrect -
Confirm that the path to the private key file is correct by
comparing the path and file name to the values for
TLS_KEY
and/orTLS_CERT
incdsw.conf
or Cloudera Manager. For example:TLS_CERT="/path/to/cert.pem" TLS_KEY="/path/to/private.key"
-
Private key file does not have the right permissions -
The private key file must have read-only permissions. Set it as
follows:
chmod 444 private.key
-
Private key is encrypted - Cloudera Data Science
Workbench does not support encrypted private keys. Check to see if
your private key is
encrypted:
cat private.key
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,11556F53E4A2824A
If the private key is encrypted as shown above, use the following steps to decrypt it:- Make a backup of the private key file.
mv private.key private.key.encrypted
- Decrypt the backup private key and save the file to
private.key
. You will be asked to enter the private key password.openssl rsa -in private.key.encrypted -out private.key
- Make a backup of the private key file.
-
Private key and certificate are not related - Check to
see if the private key matches the public key in the
certificate.
- Print a hash of the private key modulus.
openssl rsa -in private.key -noout -modulus | openssl md5
(stdin)= 7a8d72ed61bb4be3c1f59e4f0161c023
- Print a hash of the public key modulus.
openssl x509 -in cert.pem -noout -modulus | openssl md5
If the(stdin)= 7a8d72ed61bb4be3c1f59e4f0161c023
md5
hash output of both keys is different, they are not related to each other, and will not work. You must revoke the old certificate, regenerate a new private key and Certificate Signing Request (CSR), and then apply for a new certificate.
- Print a hash of the private key modulus.