You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Mike Thomsen <mi...@gmail.com> on 2018/07/03 11:00:11 UTC
Re: GUI not coming up with secured NiFi[1.7.0] cluster
I think that "*." is what is confusing it. It's looking for a host whose
hostname/dns entry starts with *. and AFAIK that's not going to happen.
On Tue, Jul 3, 2018 at 6:48 AM V, Prashanth (Nokia - IN/Bangalore) <
prashanth.v@nokia.com> wrote:
> Team,
>
>
>
> NiFi secured cluster throws below error with wildcarded self-signed
> standalone certificate. Just a brief background, we are deploying nifi in
> Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0,
> it was working fine.
>
> Also I tried bringing up NiFi in linux VM in secured cluster mode with
> wildcarded certs, I am getting same error.
>
>
>
> *Toolkit command to generate certs:*
>
> bin/tls-toolkit.sh standalone -n '
> **.mynifi-nifi-headless.default.svc.cluster.local’* -C 'CN=admin,
> OU=NIFI' -o <targetfolder>
>
>
>
> *Logs:*
>
> *2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1]
> o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET
> /nifi-api/flow/current-user to
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to
> javax.net.ssl.SSLPeerUnverifiedException: Hostname
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:*
>
> * certificate: sha256/########################################*
>
> * DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI*
>
> * subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]*
>
> *2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1]
> o.a.n.c.c.h.r.ThreadPoolRequestReplicator*
>
> *javax.net.ssl.SSLPeerUnverifiedException: Hostname
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:*
>
> * certificate: sha256/########################################*
>
> * DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI*
>
> * subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]*
>
> * at
> okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316)*
>
>
>
> Please help me in resolving this.
>
>
>
> *Note*: Same certificates is working for single mode setup.
>
>
>
> Thanks & Regards,
>
> Prashanth
>
>
>
RE: GUI not coming up with secured NiFi[1.7.0] cluster
Posted by "V, Prashanth (Nokia - IN/Bangalore)" <pr...@nokia.com>.
Mike,
Till NiFi 1.6.0 wildcarded certificate was working. Is there any workaround to resolve this issue?
This error is happening during cluster replication of requests which is recently included I believe. What is happening during cluster request replication?
Note: We need to use wildcarded certificates for Kubernetes as I earlier mentioned..
Thanks & Regards,
Prashanth
From: Mike Thomsen [mailto:mikerthomsen@gmail.com]
Sent: Tuesday, July 03, 2018 4:30 PM
To: users@nifi.apache.org
Subject: Re: GUI not coming up with secured NiFi[1.7.0] cluster
I think that "*." is what is confusing it. It's looking for a host whose hostname/dns entry starts with *. and AFAIK that's not going to happen.
On Tue, Jul 3, 2018 at 6:48 AM V, Prashanth (Nokia - IN/Bangalore) <pr...@nokia.com>> wrote:
Team,
NiFi secured cluster throws below error with wildcarded self-signed standalone certificate. Just a brief background, we are deploying nifi in Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it was working fine.
Also I tried bringing up NiFi in linux VM in secured cluster mode with wildcarded certs, I am getting same error.
Toolkit command to generate certs:
bin/tls-toolkit.sh standalone -n '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o <targetfolder>
Logs:
2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/flow/current-user to mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to javax.net.ssl.SSLPeerUnverifiedException: Hostname mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:
certificate: sha256/########################################
DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI
subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]
2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] o.a.n.c.c.h.r.ThreadPoolRequestReplicator
javax.net.ssl.SSLPeerUnverifiedException: Hostname mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:
certificate: sha256/########################################
DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI
subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316)
Please help me in resolving this.
Note: Same certificates is working for single mode setup.
Thanks & Regards,
Prashanth