Yes, on Kubernetes. FWIW, I do see changes to nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java involving a new function createTrustSslContextWithTrustManagers(), among other related changes.
I'm going to try directly adding the client certs to my trust store to see if that works (instead of just adding the client certs' issuer). On Wed, Feb 26, 2020 at 6:08 PM Joe Witt <joe.w...@gmail.com> wrote: > on kubernetes is a key detail here too... > > On Wed, Feb 26, 2020 at 10:01 AM Joe Gresock <jgres...@gmail.com> wrote: > > > Java 8 > > > > On Wed, Feb 26, 2020 at 5:59 PM Nathan Gough <thena...@gmail.com> wrote: > > > > > Hi Joe, > > > > > > I just set up a secure cluster with NiFi 1.11.3 and am not seeing any > > > issues like you describe. > > > > > > Are you running Java 8 or Java 11? > > > > > > Nathan > > > > > > On Wed, Feb 26, 2020 at 12:22 PM Joe Gresock <jgres...@gmail.com> > wrote: > > > > > > > Were there any changes with how the trust store is used in 1.11.3? I > > > had a > > > > 1.11.0 deployment working with the following settings, but when I > > > deployed > > > > 1.11.3, the cluster can't seem to replicate requests to itself: > > > > > > > > nifi.remote.input.host=<redacted> > > > > nifi.remote.input.secure=true > > > > nifi.remote.input.socket.port=32440 > > > > nifi.remote.input.http.enabled=true > > > > > > > > nifi.cluster.protocol.is.secure=true > > > > nifi.cluster.is.node=true > > > > > > > > > > > > > > nifi.cluster.node.address=nifi-3.nifi-headless.lizardspock.svc.cluster.local > > > > nifi.cluster.node.protocol.port=6007 > > > > > > > > > nifi.web.https.host=nifi-3.nifi-headless.lizardspock.svc.cluster.local > > > > nifi.web.https.port=8443 > > > > > > > > nifi.security.keystore=./conf/keystore.jks > > > > nifi.security.keystoreType=jks > > > > nifi.security.keystorePasswd=<password> > > > > nifi.security.keyPasswd= > > > > nifi.security.truststore=./conf/truststore.jks > > > > nifi.security.truststoreType=jks > > > > nifi.security.truststorePasswd=<password> > > > > nifi.security.needClientAuth=true > > > > > > > > A trusted client cert that worked against the old cluster is getting > > the > > > > same trust error (PKIX path building failed). I've verified that the > > > > client cert was issued by an issuer that is definitely in the > > > > ./conf/truststore.jks as a trustedCertEntry. > > > > > > > > 2020-02-26 17:11:09,573 WARN [Replicate Request Thread-7] > > > > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > > > > javax.net.ssl.SSLHandshakeException: > > > > sun.security.validator.ValidatorException: PKIX path building failed: > > > > sun.security.provider.certpath.SunCertPathBuilderException: unable to > > > find > > > > valid certification path to r > > > > equested target > > > > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > > > > at > > sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) > > > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) > > > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) > > > > at > > > > > > > > > > > > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) > > > > at > > > > > > > > > > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) > > > > at > > sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) > > > > at > > > sun.security.ssl.Handshaker.process_record(Handshaker.java:965) > > > > at > > > > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) > > > > at > > > > > > > > > > > > > > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) > > > > at > > > > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) > > > > at > > > > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) > > > > at > > > > > > > > > > > > > > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:302) > > > > at > > > > > > > > > > > > > > okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:270) > > > > at > > > > > > > > > > okhttp3.internal.connection.RealConnection.connect(RealConnection.java:162) > > > > at > > > > > > > > > > > > > > okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:257) > > > > at > > > > > > > > > > > > > > okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135) > > > > at > > > > > > > > > > > > > > okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114) > > > > at > > > > > > > > > > > > > > okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) > > > > at > > > > > > > > > > > > > > okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) > > > > at > > > > > > > > > > > > > > okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) > > > > at > > > > > > > > > > okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) > > > > at > > > > > > > > > > > > > > okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) > > > > at > > > > > > > > > > > > > > okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) > > > > at > > > > > > > > > > > > > > okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) > > > > at > > > > > > > > > > > > > > okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) > > > > at > > > > > > > > > > > > > > okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:126) > > > > at > > > > > > > > > > > > > > okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) > > > > at > > > > > > > > > > > > > > okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) > > > > at > > > > okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200) > > > > at okhttp3.RealCall.execute(RealCall.java:77) > > > > at > > > > > > > > > > > > > > org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:143) > > > > at > > > > > > > > > > > > > > org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:137) > > > > at > > > > > > > > > > > > > > org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:647) > > > > at > > > > > > > > > > > > > > org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:839) > > > > at > > > > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > > > at > > > > > > > > > > > > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > > > > at > > > > > > > > > > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > > > > at java.lang.Thread.run(Thread.java:748) > > > > Caused by: sun.security.validator.ValidatorException: PKIX path > > building > > > > failed: sun.security.provider.certpath.SunCertPathBuilderException: > > > unable > > > > to find valid certification path to requested target > > > > at > > > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > > > > at > > > > > > > > > > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > > > > at > > sun.security.validator.Validator.validate(Validator.java:262) > > > > at > > > > > > > > > > > > > > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330) > > > > at > > > > > > > > > > > > > > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237) > > > > at > > > > > > > > > > > > > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) > > > > at > > > > > > > > > > > > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) > > > > ... 35 common frames omitted > > > > Caused by: > sun.security.provider.certpath.SunCertPathBuilderException: > > > > unable to find valid certification path to requested target > > > > at > > > > > > > > > > > > > > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > > > > at > > > > > > > > > > > > > > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > > > > at > > > > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > > > > at > > > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > > > > ... 41 common frames omitted > > > > > > > > Thanks, > > > > Joe > > > > > > > > > > > > > -- > > Be on your guard; stand firm in the faith; be courageous; be strong. Do > > everything in love. -*1 Corinthians 16:13-14* > > > -- Be on your guard; stand firm in the faith; be courageous; be strong. Do everything in love. -*1 Corinthians 16:13-14*
