You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Pierre Villard (Jira)" <ji...@apache.org> on 2020/08/21 09:27:00 UTC

[jira] [Commented] (NIFI-7756) NIFI 1.12.0 doesn't work with wildcard certificates

    [ https://issues.apache.org/jira/browse/NIFI-7756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17181747#comment-17181747 ] 

Pierre Villard commented on NIFI-7756:
--------------------------------------

Our documentation is clear about not supporting wildcard certificates:

 
{noformat}
Wildcard certificates (i.e. two nodes node1.nifi.apache.org and node2.nifi.apache.org being assigned the same certificate with a CN or SAN entry of *.nifi.apache.org) are not officially supported and not recommended. There are numerous disadvantages to using wildcard certificates, and a cluster working with wildcard certificates has occurred in previous versions out of lucky accidents, not intentional support. Wildcard SAN entries are acceptable if each cert maintains an additional unique SAN entry and CN entry.
{noformat}
Otherwise I think this duplicates NIFI-7730

 

> NIFI 1.12.0 doesn't work with wildcard certificates
> ---------------------------------------------------
>
>                 Key: NIFI-7756
>                 URL: https://issues.apache.org/jira/browse/NIFI-7756
>             Project: Apache NiFi
>          Issue Type: Bug
>            Reporter: Heinz Mayer
>            Priority: Major
>
> After Upgrade to NIFI 1.12.0, NIFI doesn't start anymore
> The same keystore works with NIFI 1.11.4
> {code:java}
> 2020-08-21 07:52:21,462 INFO [main] o.e.jetty.util.ssl.SslContextFactory x509=X509@2559c968(tomcat,h=[mic.co.at],w=[mic.co.at]) for SslContextFactory@37f3a1a0[provider=null,keyStore=file:///opt/nifi/conf/keystore.jks,trustStore=file:///opt/nifi/conf/keystore.jks]2020-08-21 07:52:21,462 INFO [main] o.e.jetty.util.ssl.SslContextFactory x509=X509@2559c968(tomcat,h=[mic.co.at],w=[mic.co.at]) for SslContextFactory@37f3a1a0[provider=null,keyStore=file:///opt/nifi/conf/keystore.jks,trustStore=file:///opt/nifi/conf/keystore.jks]2020-08-21 07:52:21,469 WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server... shutting down.java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead) at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275) at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256) at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374) at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320) at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.server.Server.doStart(Server.java:385) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1058) at org.apache.nifi.NiFi.<init>(NiFi.java:158) at org.apache.nifi.NiFi.<init>(NiFi.java:72) at org.apache.nifi.NiFi.main(NiFi.java:301) {code}
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)