You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Andrew Price (Jira)" <ji...@apache.org> on 2023/09/25 16:24:00 UTC
[jira] [Created] (NIFI-12125) nifi.security.autoreload.enabled does not trigger reload of SSLContext for cluster ServerSocket
Andrew Price created NIFI-12125:
-----------------------------------
Summary: nifi.security.autoreload.enabled does not trigger reload of SSLContext for cluster ServerSocket
Key: NIFI-12125
URL: https://issues.apache.org/jira/browse/NIFI-12125
Project: Apache NiFi
Issue Type: Bug
Components: Security
Affects Versions: 1.23.2
Environment: EKS Kube 1.27
Reporter: Andrew Price
Running Nifi 1.23 as a containerized cluster on EKS with 'nifi.cluster.protocol.is.secure' set to true. Certificates are provisioned to Nifi keystores using mounted Kube Secrets, periodically copied from secret mount to keystore paths using sidecar container (avoiding NIFI-10245).
Upon certificate expiration and renewal (with nifi.security.autoreload.enabled 'true'), Jetty server detects new certificates and refreshes its SSLContext as expected.
However, cluster heartbeats (and potentially other cluster protocol messages) begin to fail upon certificate expiration due SSL validation failures. Debugging of heartbeat events shows that nodes are sending heartbeats using an updated SSL context, but cluster SocketProtocolListener and underlying SocketListener continues to use stale SSLContext on an existing ServerSocket.
It may be required for the ServerSocket used by SocketProtocolListener to be closed/recreated in order to refresh the underlying SSLContext, in order to provide the same behaviour nifi.security.autoreload.enabled provides for the HTTPS interface.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)