[
https://issues.apache.org/jira/browse/NIFI-11536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tan Luu updated NIFI-11536:
---------------------------
Affects Version/s: 1.20.0
1.19.0
1.18.0
> nifi.security.autoreload.enabled is broken since v1.17.0
> --------------------------------------------------------
>
> Key: NIFI-11536
> URL: https://issues.apache.org/jira/browse/NIFI-11536
> Project: Apache NiFi
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.17.0, 1.18.0, 1.19.0, 1.20.0
> Environment: standalone
> Reporter: Tan Luu
> Priority: Major
> Labels: critical
>
> NiFi standalone with nifi.security.autoreload.enabled=true does not reload
> TLS keystore after upgrade from 1.16.3 to 1.17.0 onward.
> Steps to reproduce:
> 1/ Generate truststore and 2 keystores for nifi standalone using nifi
> toolkit. Two keystores should be generated at least 5 minutes apart from each
> other since we use the certificate start time to verify if the new cert is
> loaded later
> e.g.
> bin/tls-toolkit.sh standalone -n nifi.tmanet.com \
> --subjectAlternativeNames nifi.tmanet.com -P
> TErbdTQutLvFVd3kunMcCL5/OG1K+t2l/Q1vSiJbJp8 \
> -S JaTxUVN+HK8+LyPCs9ruJXCiYq/zr1bYUxJBjEGnjpw
> 2/ Configure nifi standalone with generated truststore and one of the
> keystore then start nifi (ensure nifi.security.autoreload.enabled=true in
> your nifi.properties)
> 3/ Check the certificate start date return when calling nifi url e.g.
> nifi.tmanet.com:9443
> curl -kv https://nifi.tmanet.com:9443 2>&1 | /bin/grep start
> 4/ Replace keystore.jks by another keystore generated above and wait for
> nifi.security.autoreload.interval (default 10s) and recheck the nifi
> certificate by
> curl -kv https://nifi.tmanet.com:9443 2>&1 | /bin/grep start
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
