Hi, As Bryan said, you only need to run the command once. However, if it is run from the same directory multiple times, and the nifi-key.key and nifi-cert.pem files that are generated the first time are not removed between runs, it will use the same CA key to sign all the generated certificates, so this should not be an issue.
I do notice that in your first invocation, the hostname value is “server10[1-3]xj.domain.com <http://xj.domain.com/>” while in the second invocation, the letters “xj” are not there. Please check to ensure that the hostname is consistent with what you expect. To diagnose the browser error, please check the following information: * Browser name and version * If Google Chrome 58+, the hostname MUST be present in the SAN (SubjectAlternativeName) list, or this error will be returned. To do this, in your toolkit command, add “—subjectAlternativeNames ‘server101.domain.com’”. There is an open Jira to enable this by default in the next version of the toolkit. Another wrinkle is that the SAN parsing does not currently support the regex handling that the hostname parser does, so you will have to run each command separately, matching the hostname and SAN, unless you want every certificate to have the same SAN entries and enumerate all of them there. * Did you import the CA certificate into your OS/browser truststore? If you can also provide the logs/nifi-app.log and logs/nifi-user.log files, these are very helpful in diagnosing authentication issues. Andy LoPresto alopre...@apache.org alopresto.apa...@gmail.com PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Jul 31, 2017, at 10:13 AM, Bryan Bende <bbe...@gmail.com> wrote: > > Hello, > > I think you should only make one call to the toolkit which should > generate a CA, the server certs, and the client cert all at the same > time. The -C flag is for the client cert which you already had on the > first call so I think it generated it already. > > By running it twice like above, the first time is generating a CA and > server certs for servers 101-103, the second time its generating a new > CA, a server cert for server101, and a client cert, so now you are > using a client cert that was generated from a different CA than the > server certs. > > -Bryan > > > > On Mon, Jul 31, 2017 at 1:02 PM, nifi-san <nairsande...@gmail.com> wrote: >> Hello Experts, >> >> I have secured my three node nifi cluster and followed the links below:- >> >> https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/ >> >> https://pierrevillard.com/tag/tls-toolkit/ >> >> The only difference is that I used the toolkit standalone mode to generate >> the required certs. >> >> Inspite of generating the client certificate with the below command, I see >> the following error on my browser:- >> >> "ERR_BAD_SSL_CLIENT_AUTH_CERT" >> >> Below are the commands used to generate the certificates and keystores:- >> >> tls-toolkit.sh standalone -n 'server10[1-3]xj.domain.com' -C 'CN=admin, >> OU=NIFIORG' -o. >> >> Client Cert:- >> >> tls-toolkit.sh standalone -n 'server101.domain.com' -C 'CN=admin, >> OU=NIFIORG' -o. >> >> Tried generating the client certificate using "localhost" as well instead of >> "server101.domain.com" but that did not help either. >> >> The cluster has come up successfully and listening on the SSL port.Also,the >> users.xml and authorizations.xml have been populated properly with the >> initial Admin whihc is "CN=admin, OU=NIFIORG" >> >> I imported the cert created in p12 format into the browser but everytime I >> try to access the UI,i get the same error. >> >> Tried regenerating the certs for all the nodes and created a fresh new >> client cert as well but that did not help. >> >> I could not see any error in the logs but at the same time there was no >> authentication request in the user logs for the user "CN=admin, OU=NIFIORG". >> >> Appreciate any pointers how to resolve this issue. >> >> >> >> >> >> -- >> View this message in context: >> http://apache-nifi-developer-list.39713.n7.nabble.com/ERR-BAD-SSL-CLIENT-AUTH-CERT-error-after-configuring-secure-cluster-tp16538.html >> Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.
signature.asc
Description: Message signed with OpenPGP using GPGMail
