You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Andrew Price (Jira)" <ji...@apache.org> on 2023/09/25 16:24:00 UTC

[jira] [Created] (NIFI-12125) nifi.security.autoreload.enabled does not trigger reload of SSLContext for cluster ServerSocket

Andrew Price created NIFI-12125:
-----------------------------------

             Summary: nifi.security.autoreload.enabled does not trigger reload of SSLContext for cluster ServerSocket
                 Key: NIFI-12125
                 URL: https://issues.apache.org/jira/browse/NIFI-12125
             Project: Apache NiFi
          Issue Type: Bug
          Components: Security
    Affects Versions: 1.23.2
         Environment: EKS Kube 1.27 
            Reporter: Andrew Price


Running Nifi 1.23 as a containerized cluster on EKS with 'nifi.cluster.protocol.is.secure' set to true. Certificates are provisioned to Nifi keystores using mounted Kube Secrets, periodically copied from secret mount to keystore paths using sidecar container (avoiding NIFI-10245).

Upon certificate expiration and renewal (with nifi.security.autoreload.enabled 'true'), Jetty server detects new certificates and refreshes its SSLContext as expected.

However, cluster heartbeats (and potentially other cluster protocol messages) begin to fail upon certificate expiration due SSL validation failures.  Debugging of heartbeat events shows that nodes are sending heartbeats using an updated SSL context, but cluster SocketProtocolListener and underlying SocketListener continues to use stale SSLContext on an existing ServerSocket.

It may be required for the ServerSocket used by SocketProtocolListener to be closed/recreated in order to refresh the underlying SSLContext, in order to provide the same behaviour nifi.security.autoreload.enabled provides for the HTTPS interface.

  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)