You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nifi.apache.org by Nishant Gupta <ni...@gmail.com> on 2017/11/12 18:25:00 UTC
Facing issue in Site to Site Https Communication
Hi Team,
I am trying to make site to site communication between 2 standalone nifi
instances.
I am getting below error
2017-11-12 23:44:41,304 WARN [Remote Process Group
b1265abf-015f-1000-632e-e7939fbad38f: https://X.X.X.X:9443/nifi Thread-1]
o.a.n.remote.StandardRemoteProcessGroup Unable to connect to
RemoteProcessGroup[https://X.X.X.X:9443/nifi] due to
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: Path does not chain with any
of the trust anchors.
I have generated the certificate using below command and imported in
browser.:
sudo bash ./tls-toolkit.sh standalone -n 'server-1,server-2' -C 'CN=demo,
OU=nifi' -O -o ../security_output
I am not able to figure out any solution on google.
Can you please help me out.
Thanks and Regards,
Nishant Gupta
Re: Facing issue in Site to Site Https Communication
Posted by Koji Kawamura <ij...@gmail.com>.
Hi,
A common mistake with tls-toolkit is generating keystore and
truststore for each node using DIFFERENT NiFi CA Cert.
If tls-toolkit standalone is executed against different output
directories, it may produce different NiFi CA in each directory.
Please check both of s2s client and server truststores have the same
NiFi CA Cert.
To do so, use keytool command:
keytool -list -keystore truststore.jks
nifi-cert, Feb 9, 2018, trustedCertEntry,
Certificate fingerprint (SHA1):
FE:0D:FE:0D:72:40:0A:7E:49:45:1B:78:D9:F5:F4:6E:A2:3C:92:E5
If that's not the case, then I'd recommend adding
-Djavax.net.debug=all Java option to debug further.
You can add Java options from ${NIFI_HOME}/conf/bootstrap.conf.
https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
Thanks,
Koji
On Fri, Feb 23, 2018 at 9:01 AM, yi <yu...@austal.com> wrote:
> Apologies, I should clarify that I still do not have communication working
> site to site. Please assist. Thank you.
>
>
>
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Re: Facing issue in Site to Site Https Communication
Posted by yi <yu...@austal.com>.
Apologies, I should clarify that I still do not have communication working
site to site. Please assist. Thank you.
--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Re: Facing issue in Site to Site Https Communication
Posted by yi <yu...@austal.com>.
Hi Koji,
Thanks for the very quick response.
The toolkit does generate a nifi.properties file for each of the servers.
I've modified it slightly for things like port numbers, but the
keystore/truststore settings I am pretty confident about, as I have had
success with accessing the nifi UI. I imported the .p12 certificates that
the toolkit produced to my browser.
RPG side:
nifi.security.keystore=./conf/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=<ks password generated by toolkit>
nifi.security.keyPasswd=<key password generated by toolkit>
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=<ts password generated by toolkit>
nifi.security.needClientAuth=
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=
"server" side:
nifi.security.keystore=./conf/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=<different ks password generated by toolkit>
nifi.security.keyPasswd=<different key password generated by toolkit>
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=<different ts password generated by toolkit>
nifi.security.needClientAuth=
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=
Thank you
--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Re: Facing issue in Site to Site Https Communication
Posted by Koji Kawamura <ij...@gmail.com>.
Hi,
If tls-toolkit was used to generate certificates, then there should be
server-1 and server-2 directories created and each contains
keystore.jks and truststore.jks.
```
sudo bash ./tls-toolkit.sh standalone -n 'server-1,server-2' -C 'CN=demo,
OU=nifi' -O -o ../security_output
```
Please check following configurations in nifi.properties file to see
if the generated keystore and truststore are specified correctly:
nifi.security.keystore
nifi.security.keystoreType
nifi.security.keystorePasswd
nifi.security.keyPasswd
nifi.security.truststore
nifi.security.truststoreType
nifi.security.truststorePasswd
Thanks,
Koji
On Thu, Feb 22, 2018 at 4:13 PM, yi <yu...@austal.com> wrote:
> Hi there,
>
> sticking my nose in as I have the same issue!
>
> slightly different to Nishant, but here's my settings:
>
> On the RPG instance side
>
> # Site to Site properties
> nifi.remote.input.host=
> nifi.remote.input.secure=true
> nifi.remote.input.socket.port=8899
> nifi.remote.input.http.enabled=true
> nifi.remote.input.http.transaction.ttl=30 sec
>
> # web properties #
> nifi.web.war.directory=./lib
> nifi.web.http.host=
> nifi.web.http.port=
> nifi.web.http.network.interface.default=
> nifi.web.https.host=localhost
> nifi.web.https.port=8443
> nifi.web.https.network.interface.default=
> nifi.web.jetty.working.directory=./work/jetty
> nifi.web.jetty.threads=200
>
> On the "server" side
> # Site to Site properties
> nifi.remote.input.host=<server instance public IP>
> nifi.remote.input.secure=true
> nifi.remote.input.socket.port=8899
> nifi.remote.input.http.enabled=false
> nifi.remote.input.http.transaction.ttl=30 sec
>
> # web properties #
> nifi.web.war.directory=./lib
> nifi.web.http.host=
> nifi.web.http.port=
> nifi.web.http.network.interface.default=
> nifi.web.https.host=
> nifi.web.https.port=8443
> nifi.web.https.network.interface.default=
> nifi.web.jetty.working.directory=./work/jetty
> nifi.web.jetty.threads=200
>
>
> ----
>
> Any guidance is appreciated!
>
> Thank you
>
>
>
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Re: Facing issue in Site to Site Https Communication
Posted by yi <yu...@austal.com>.
Hi there,
sticking my nose in as I have the same issue!
slightly different to Nishant, but here's my settings:
On the RPG instance side
# Site to Site properties
nifi.remote.input.host=
nifi.remote.input.secure=true
nifi.remote.input.socket.port=8899
nifi.remote.input.http.enabled=true
nifi.remote.input.http.transaction.ttl=30 sec
# web properties #
nifi.web.war.directory=./lib
nifi.web.http.host=
nifi.web.http.port=
nifi.web.http.network.interface.default=
nifi.web.https.host=localhost
nifi.web.https.port=8443
nifi.web.https.network.interface.default=
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200
On the "server" side
# Site to Site properties
nifi.remote.input.host=<server instance public IP>
nifi.remote.input.secure=true
nifi.remote.input.socket.port=8899
nifi.remote.input.http.enabled=false
nifi.remote.input.http.transaction.ttl=30 sec
# web properties #
nifi.web.war.directory=./lib
nifi.web.http.host=
nifi.web.http.port=
nifi.web.http.network.interface.default=
nifi.web.https.host=
nifi.web.https.port=8443
nifi.web.https.network.interface.default=
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200
----
Any guidance is appreciated!
Thank you
--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Re: Facing issue in Site to Site Https Communication
Posted by Pierre Villard <pi...@gmail.com>.
Hi,
Based on your error message, the problem is most likely with your
truststore configuration. What did you configure for HTTPS in your
nifi.properties configuration file?
Pierre
Le 12 nov. 2017 19:38, "Nishant Gupta" <ni...@gmail.com> a
écrit :
Hi Team,
I am trying to make site to site communication between 2 standalone nifi
instances.
I am getting below error
2017-11-12 23:44:41,304 WARN [Remote Process Group
b1265abf-015f-1000-632e-e7939fbad38f: https://X.X.X.X:9443/nifi Thread-1]
o.a.n.remote.StandardRemoteProcessGroup Unable to connect to
RemoteProcessGroup[https://X.X.X.X:9443/nifi] due to
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: Path does not chain with any
of the trust anchors.
I have generated the certificate using below command and imported in
browser.:
sudo bash ./tls-toolkit.sh standalone -n 'server-1,server-2' -C 'CN=demo,
OU=nifi' -O -o ../security_output
I am not able to figure out any solution on google.
Can you please help me out.
Thanks and Regards,
Nishant Gupta