You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2019/04/05 16:36:05 UTC

[GitHub] [nifi] AnthonyMastrean commented on issue #3266: NIFI-5955 add a Docker HEALTHCHECK

AnthonyMastrean commented on issue #3266: NIFI-5955 add a Docker HEALTHCHECK
URL: https://github.com/apache/nifi/pull/3266#issuecomment-480341526
 
 
   OK, I'm back at it. I know where to find the keystore/truststore passwords. So, I'm trying this command again:
   
   ```
   PS> docker run --name nifi `
   -v "$($pwd)/.nifi/localhost:/opt/certs" `
   -p 8443:8443 `
   -e AUTH=tls `
   -e KEYSTORE_PATH=/opt/certs/keystore.jks `
   -e KEYSTORE_TYPE=JKS `
   -e KEYSTORE_PASSWORD='...' `
   -e TRUSTSTORE_PATH=/opt/certs/truststore.jks `
   -e TRUSTSTORE_TYPE=JKS `
   -e TRUSTSTORE_PASSWORD='...' `
   -e INITIAL_ADMIN_IDENTITY='CN=admin,OU=NIFI' `
   -d `
   apache/nifi:1.8.0
   ```
   
   But, I can't get a website at https://localhost:8443/nifi
   
   > This site can’t provide a secure connection localhost didn’t accept your login certificate, or one may not have been provided.
   > 
   > Try contacting the system admin.
   > 
   > ERR_BAD_SSL_CLIENT_AUTH_CERT
   
   And if I reload now, it says
   
   > This site can’t be reached localhost refused to connect.
   > 
   > Try:
   > 
   > Checking the connection
   > Checking the proxy and the firewall
   > 
   > ERR_CONNECTION_REFUSED
   
   The last bit of the log seems to indicate everything is OK (I don't see anything else suspicious or relevant, but I could post the whole log if needed).
   
   ```
   2019-04-05 16:25:47,327 INFO [main] org.apache.nifi.web.server.JettyServer NiFi has started. The UI is available at the following URLs:
   2019-04-05 16:25:47,328 INFO [main] org.apache.nifi.web.server.JettyServer https://5701ad67d3e6:8443/nifi
   2019-04-05 16:25:47,328 INFO [main] org.apache.nifi.BootstrapListener Successfully initiated communication with Bootstrap
   2019-04-05 16:25:47,328 INFO [main] org.apache.nifi.NiFi Controller initialization took 12381541900 nanoseconds (12 seconds).
   ```
   
   Am I passing the initial admin identity correctly? I completely invented that CN user thing... does that need to be "real" in some way? Remember, I created the certs with this command:
   
   ```
   PS> docker run --rm -v "$($pwd)/.nifi:/nifi" --entrypoint /opt/nifi/nifi-toolkit-current/bin/tls-toolkit.sh apache/nifi:1.8.0 standalone -n localhost -C 'CN=admin,OU=NIFI' -O -o /nifi
   ```
   
   I also noticed that the default `nifi.properties` file has some odd values vs. what I'm providing in the Docker command. Do I need to manually correct those? Relevant chunks w/ default values...
   
   This is the wrong HTTPS port, it should be `8443`, right?
   
   ```
   # web properties #
   nifi.web.war.directory=./lib
   nifi.web.http.host=
   nifi.web.http.port=
   nifi.web.http.network.interface.default=
   nifi.web.https.host=localhost
   nifi.web.https.port=9443
   nifi.web.https.network.interface.default=
   nifi.web.jetty.working.directory=./work/jetty
   nifi.web.jetty.threads=200
   nifi.web.max.header.size=16 KB
   nifi.web.proxy.context.path=
   nifi.web.proxy.host=
   ```
   
   And these keystore/truststore paths are incorrect, they should be `/opt/certs/{key|trust}store.jks`, right?
   ```
   # security properties #
   nifi.sensitive.props.key=
   nifi.sensitive.props.key.protected=
   nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
   nifi.sensitive.props.provider=BC
   nifi.sensitive.props.additional.keys=
   
   nifi.security.keystore=./conf/keystore.jks
   nifi.security.keystoreType=jks
   nifi.security.keystorePasswd=QoQfB2QyRuspRj50pDqsJUIVDanEPrDpniXqndpTNOg
   nifi.security.keyPasswd=QoQfB2QyRuspRj50pDqsJUIVDanEPrDpniXqndpTNOg
   nifi.security.truststore=./conf/truststore.jks
   nifi.security.truststoreType=jks
   nifi.security.truststorePasswd=I9S8VZGuSjhTSiX7imaYbmEOIXrURMpN+gD2aN8+yV0
   nifi.security.user.authorizer=managed-authorizer
   nifi.security.user.login.identity.provider=
   nifi.security.ocsp.responder.url=
   nifi.security.ocsp.responder.certificate=
   ```

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services