> I am working on an ubuntu server. I do not have the possibility to generate the keychain and to access the graphical interface of nifi
Where did you get the certificates if you are not able to generate the keychain yourself? It looks like whatever server cert you use for nginx and for the registry are not part of the same trust chain. Also, as far as I know, you cannot just proxy the identity of the user identified by nginx to the registry; its X509 support assumes that it's going to get the user cert, not just a DN. If you want some prebuilt certs for testing this or deploying into an environment that's not meant for production use you can steal some of the ones I created for these Docker Compose configurations: https://github.com/MikeThomsen/nifi-docker-compose Example server DNs are demo.nif, prov.nifi and registry.nifi. Used the TLS Toolkit for those so should be plug and play if you need them for testing. On Wed, Jun 20, 2018 at 8:52 AM [email protected] <[email protected]> wrote: > I followed this tutorial to set up a secure version of Nifi registry: > https://community.hortonworks.com/content/kbentry/170966/setting-up-a-secure-apache-nifi-registry.html > > I am working on an ubuntu server. I do not have the possibility to > generate the keychain and to access the graphical interface of nifi I use > google chrome on my local machine (windows10). So I imported the p12 file > in my browser. My nginx configuration file is as follows: > > upstream container { > server 172.0.0.2:9000; > } > server { > listen 443 ssl; > ssl On; > ssl_certificate /etc/letsencrypt/live/sm/fullchain.pem; > #/etc/nginx/ssl/fullchain.$ > ssl_certificate_key /etc/letsencrypt/live/sm/privkey.pem; > #/etc/nginx/ssl/privkey$ > if ($ssl_protocol = "") { > rewrite ^ https://$host$request_uri? permanent; # optional, to > force use of$ > } > root /var/www/html; > # Add index.php to the list if you are using PHP > index index.html index.htm index.php; > server_name workshop1.smart-mobility.alstom.com; # managed by > Certbot > > > location ~ \.php$ { > include snippets/fastcgi-php.conf; > fastcgi_pass unix:/run/php/php7.0-fpm.sock; > auth_basic "Restricted"; > auth_basic_user_file /etc/nginx/.htpasswd; > } > location ~ /\.ht { > deny all; } > > location / { > # First attempt to serve request as file, then > # as directory, then fall back to displaying a 404. > try_files $uri $uri/ =404; > auth_basic "Restricted";auth_basic_user_file > /etc/nginx/.htpasswd; > } > > location /nifi-registry-api/ { > rewrite ^/nifi-registry-api/(.*) /nifi-registry-api/$1 break; > proxy_pass https://localhost:18443/nifi-registry; > proxy_http_version 1.1; > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection 'upgrade'; > proxy_set_header Host $host; > proxy_cache_bypass $http_upgrade; > } > > location /nifi-registry/ { > proxy_pass https://localhost:18443/nifi-registry; > proxy_http_version 1.1; > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection 'upgrade'; > proxy_set_header Host $host; > proxy_cache_bypass $http_upgrade; > proxy_set_header X-ProxyScheme "https"; > proxy_set_header X-ProxyHost $proxy_host; > proxy_set_header X-ProxiedEntitiesChain "<%{SSL_CLIENT_S_DN}>"; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Scheme $scheme; > proxy_connect_timeout 1; > > } } > > > When I log on to the nifi-registry page I have the following error: 502 > Bad Gateway > > can someone help me on this point please I do not find examples > > Error log nginx : > > *28739 SSL_do_handshake() failed (SSL: error:14094412:SSL > routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) > while SSL hands > > >
