You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2019/04/05 16:36:34 UTC
[GitHub] [nifi] AnthonyMastrean edited a comment on issue #3266: NIFI-5955
add a Docker HEALTHCHECK
AnthonyMastrean edited a comment on issue #3266: NIFI-5955 add a Docker HEALTHCHECK
URL: https://github.com/apache/nifi/pull/3266#issuecomment-480341526
OK, I'm back at it. I know where to find the keystore/truststore passwords. So, I'm trying this command again:
```
PS> docker run --name nifi `
-v "$($pwd)/.nifi/localhost:/opt/certs" `
-p 8443:8443 `
-e AUTH=tls `
-e KEYSTORE_PATH=/opt/certs/keystore.jks `
-e KEYSTORE_TYPE=JKS `
-e KEYSTORE_PASSWORD='...' `
-e TRUSTSTORE_PATH=/opt/certs/truststore.jks `
-e TRUSTSTORE_TYPE=JKS `
-e TRUSTSTORE_PASSWORD='...' `
-e INITIAL_ADMIN_IDENTITY='CN=admin,OU=NIFI' `
-d `
apache/nifi:1.8.0
```
But, I can't get a website at https://localhost:8443/nifi
> This site can’t provide a secure connection localhost didn’t accept your login certificate, or one may not have been provided.
>
> Try contacting the system admin.
>
> ERR_BAD_SSL_CLIENT_AUTH_CERT
And if I reload now, it says
> This site can’t be reached localhost refused to connect.
>
> Try:
>
> Checking the connection
> Checking the proxy and the firewall
>
> ERR_CONNECTION_REFUSED
The last bit of the log seems to indicate everything is OK (I don't see anything else suspicious or relevant, but I could post the whole log if needed).
```
2019-04-05 16:25:47,327 INFO [main] org.apache.nifi.web.server.JettyServer NiFi has started. The UI is available at the following URLs:
2019-04-05 16:25:47,328 INFO [main] org.apache.nifi.web.server.JettyServer https://5701ad67d3e6:8443/nifi
2019-04-05 16:25:47,328 INFO [main] org.apache.nifi.BootstrapListener Successfully initiated communication with Bootstrap
2019-04-05 16:25:47,328 INFO [main] org.apache.nifi.NiFi Controller initialization took 12381541900 nanoseconds (12 seconds).
```
Am I passing the initial admin identity correctly? I completely invented that CN user thing... does that need to be "real" in some way? Remember, I created the certs with this command:
```
PS> docker run --rm -v "$($pwd)/.nifi:/nifi" --entrypoint /opt/nifi/nifi-toolkit-current/bin/tls-toolkit.sh apache/nifi:1.8.0 standalone -n localhost -C 'CN=admin,OU=NIFI' -O -o /nifi
```
I also noticed that the default `nifi.properties` file has some odd values vs. what I'm providing in the Docker command. Do I need to manually correct those?
This is the wrong HTTPS port, it should be `8443`, right?
```
# web properties #
nifi.web.war.directory=./lib
nifi.web.http.host=
nifi.web.http.port=
nifi.web.http.network.interface.default=
nifi.web.https.host=localhost
nifi.web.https.port=9443
nifi.web.https.network.interface.default=
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200
nifi.web.max.header.size=16 KB
nifi.web.proxy.context.path=
nifi.web.proxy.host=
```
And these keystore/truststore paths are incorrect, they should be `/opt/certs/{key|trust}store.jks`, right?
```
# security properties #
nifi.sensitive.props.key=
nifi.sensitive.props.key.protected=
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=
nifi.security.keystore=./conf/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=QoQfB2QyRuspRj50pDqsJUIVDanEPrDpniXqndpTNOg
nifi.security.keyPasswd=QoQfB2QyRuspRj50pDqsJUIVDanEPrDpniXqndpTNOg
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=I9S8VZGuSjhTSiX7imaYbmEOIXrURMpN+gD2aN8+yV0
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services