You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@nifi.apache.org by Mike Thomsen <mi...@gmail.com> on 2018/07/03 11:00:11 UTC

Re: GUI not coming up with secured NiFi[1.7.0] cluster

I think that "*." is what is confusing it. It's looking for a host whose
hostname/dns entry starts with *. and AFAIK that's not going to happen.

On Tue, Jul 3, 2018 at 6:48 AM V, Prashanth (Nokia - IN/Bangalore) <
prashanth.v@nokia.com> wrote:

> Team,
>
>
>
> NiFi secured cluster throws below error with wildcarded self-signed
> standalone certificate.  Just a brief background, we are deploying nifi in
> Kubernetes  where we have to use wildcarded certificates. Till nifi 1.6.0,
> it was working fine.
>
> Also I tried bringing up NiFi in linux VM in secured cluster mode with
> wildcarded certs, I am getting same error.
>
>
>
> *Toolkit command to generate certs:*
>
> bin/tls-toolkit.sh standalone -n '
> **.mynifi-nifi-headless.default.svc.cluster.local’* -C 'CN=admin,
> OU=NIFI' -o <targetfolder>
>
>
>
> *Logs:*
>
> *2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1]
> o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET
> /nifi-api/flow/current-user to
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to
> javax.net.ssl.SSLPeerUnverifiedException: Hostname
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:*
>
> *    certificate: sha256/########################################*
>
> *    DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI*
>
> *    subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]*
>
> *2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1]
> o.a.n.c.c.h.r.ThreadPoolRequestReplicator*
>
> *javax.net.ssl.SSLPeerUnverifiedException: Hostname
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:*
>
> *    certificate: sha256/########################################*
>
> *    DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI*
>
> *    subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]*
>
> *        at
> okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316)*
>
>
>
> Please help me in resolving this.
>
>
>
> *Note*: Same certificates is working for single mode setup.
>
>
>
> Thanks & Regards,
>
> Prashanth
>
>
>

RE: GUI not coming up with secured NiFi[1.7.0] cluster

Posted by "V, Prashanth (Nokia - IN/Bangalore)" <pr...@nokia.com>.

Mike,
Till NiFi 1.6.0 wildcarded certificate was working. Is there any workaround to resolve this issue?
This error is happening during cluster replication of requests which is recently included I believe. What is happening during cluster request replication?

Note: We need to use wildcarded certificates for Kubernetes as I earlier mentioned..

Thanks & Regards,
Prashanth

From: Mike Thomsen [mailto:mikerthomsen@gmail.com]
Sent: Tuesday, July 03, 2018 4:30 PM
To: users@nifi.apache.org
Subject: Re: GUI not coming up with secured NiFi[1.7.0] cluster

I think that "*." is what is confusing it. It's looking for a host whose hostname/dns entry starts with *. and AFAIK that's not going to happen.

On Tue, Jul 3, 2018 at 6:48 AM V, Prashanth (Nokia - IN/Bangalore) <pr...@nokia.com>> wrote:

Team,



NiFi secured cluster throws below error with wildcarded self-signed standalone certificate.  Just a brief background, we are deploying nifi in Kubernetes  where we have to use wildcarded certificates. Till nifi 1.6.0, it was working fine.

Also I tried bringing up NiFi in linux VM in secured cluster mode with wildcarded certs, I am getting same error.



Toolkit command to generate certs:

bin/tls-toolkit.sh standalone -n '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o <targetfolder>



Logs:

2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/flow/current-user to mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to javax.net.ssl.SSLPeerUnverifiedException: Hostname mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:

    certificate: sha256/########################################

    DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI

    subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]

2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] o.a.n.c.c.h.r.ThreadPoolRequestReplicator

javax.net.ssl.SSLPeerUnverifiedException: Hostname mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:

    certificate: sha256/########################################

    DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI

    subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]

        at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316)



Please help me in resolving this.



Note: Same certificates is working for single mode setup.



Thanks & Regards,

Prashanth