Tan Luu created NIFI-11536:
------------------------------
Summary: nifi.security.autoreload.enabled is broken since v1.17.0
Key: NIFI-11536
URL: https://issues.apache.org/jira/browse/NIFI-11536
Project: Apache NiFi
Issue Type: Bug
Components: Security
Affects Versions: 1.17.0
Environment: standalone
Reporter: Tan Luu
NiFi standalone with nifi.security.autoreload.enabled=true does not reload TLS
keystore after upgrade from 1.16.3 to 1.17.0 onward.
Steps to reproduce:
1/ Generate truststore and 2 keystores for nifi standalone using nifi toolkit.
Two keystores should be generated at least 5 minutes apart from each other
since we use the certificate start time to verify if the new cert is loaded
later
e.g.
bin/tls-toolkit.sh standalone -n nifi.tmanet.com \
--subjectAlternativeNames nifi.tmanet.com -P
TErbdTQutLvFVd3kunMcCL5/OG1K+t2l/Q1vSiJbJp8 \
-S JaTxUVN+HK8+LyPCs9ruJXCiYq/zr1bYUxJBjEGnjpw
2/ Configure nifi standalone with generated truststore and one of the keystore
then start nifi (ensure nifi.security.autoreload.enabled=true in your
nifi.properties)
3/ Check the certificate start date return when calling nifi url e.g.
nifi.tmanet.com:9443
curl -kv https://nifi.tmanet.com:9443 2>&1 | /bin/grep start
4/ Replace keystore.jks by another keystore generated above and wait for
nifi.security.autoreload.interval (default 10s) and recheck the nifi
certificate by
curl -kv https://nifi.tmanet.com:9443 2>&1 | /bin/grep start
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
