[
https://issues.apache.org/jira/browse/NIFI-10932?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17679881#comment-17679881
]
Chris Sampson commented on NIFI-10932:
--------------------------------------
This seems like it might be a problem with the {{truststore.p12}} generated as
part of the {{Single User Auth}} setup when using the {{eclipse-temuri:11-jre}}
within the {{apache/nifi}} Docker Image (versions 1.19.0 & 1.19.1).
Starting a container using the Docker Image and connecting to it, then getting
the truststorePassword from the nifi.properties file allows OpenSSL to extract
the CA certificate using the {{pkcs12}} command **but** {{keytool}} reports
that the {{keystore contains 0 entries}}, which then results in
{{nifi-toolkit}} erroring because it has no {{trustAnchors}} imported from the
configured {{trustStore}} when it runs.
{code:bash}
docker run --rm -dit --name nifi-test apache/nifi:1.19.1
# wait for NiFi to start within the container
docker exec -it nifi-test sh
cd conf/
TRUSTSTORE_PASSWORD="$(grep nifi.security.truststorePasswd= nifi.properties)"
openssl pkcs12 -in truststore.p12 -cacerts -nokeys -password
"pass:${TRUSTSTORE_PASSWORD}"
# note a certificate PEM is output
keytool -list -keystore truststore.p12 -storetype PKCS12 -storepass
"${TRUSTSTORE_PASSWORD}"
# note the "Your keystore contains 0 entries" output
{code}
Is the internal certificate generation routine producing the wrong thing for
the {{Single User Auth}} use case? N.B. this same setup seemed to work fine in
earlier versions of the {{apache/nifi}} image, e.g. 1.18.0.
> NiFi Toolkit CLI cannot connect to NiFi - trustAnchors parameter must be
> non-empty
> ----------------------------------------------------------------------------------
>
> Key: NIFI-10932
> URL: https://issues.apache.org/jira/browse/NIFI-10932
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.19.0, 1.19.1
> Reporter: Chris Sampson
> Priority: Major
>
> When running NiFi 1.19.0 using the {{apache/nifi}} docker image, the NiFi
> Toolkit is not able to connect to the running NiFi instance (with the default
> Single User Auth enabled).
> Having updated the NiFi Toolkit CLI properties file with the Truststore and
> Keystore details generated by NiFi (found within {{nifi.properties}}), then
> attempting to run a command using the NiFi Toolkit command line such as:
> {code:bash}
> /opt/nifi/nifi-toolkit-current/bin/cli.sh session set nifi
> /opt/nifi/nifi-toolkit-current/bin/cli.sh nifi get-services
> {code}
> The following error is returned:
> {quote}
> ERROR: Error executing command 'get-services' : Unexpected error:
> java.security.InvalidAlgorithmParameterException: the trustAnchors parameter
> must be non-empty
> {quote}
> This suggests something isn't working correctly with the NiFi Toolkit JVM
> process/configuration or such (e.g. the correct truststore is not being used,
> see https://www.baeldung.com/java-trustanchors-parameter-must-be-non-empty)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
