Andy LoPresto created NIFI-3740:
-----------------------------------
Summary: Hostname validation error message can be unclear if SAN
fails but CN matches hostname
Key: NIFI-3740
URL: https://issues.apache.org/jira/browse/NIFI-3740
Project: Apache NiFi
Issue Type: Improvement
Components: Core Framework
Affects Versions: 1.1.1
Reporter: Andy LoPresto
As reported on the mailing list, the error message can be very confusing if the
hostname matches the certificate CN but not the SAN.
{quote}
On Apr 23, 2017, at 4:42 PM, Joe Gresock <[email protected]> wrote:
Just to follow up -- apparently if the Subject Alternate Name is set
incorrectly, it will result in this error. Apparently the CN is ignored if
the SAN is set on the cert.
On Sat, Apr 22, 2017 at 12:08 PM, Joe Gresock <[email protected]> wrote:
I've been banging my head against the wall on this one.. is there a good
way to further debug this RPG error? The hostname clearly matches the
certificate CN.
2017-04-22 12:04:35,932 WARN [Remote Process Group
68ed2275-894d-3d75-b457-9d28a1b680e0:
https://ip-172-31-33-37.ec2.internal:8443/nifi Thread-1]
o.a.n.remote.StandardRemoteProcessGroup
Unable to connect to RemoteProcessGroup[https://ip-
172-31-33-37.ec2.internal:8443/nifi] due to
javax.net.ssl.SSLPeerUnverifiedException:
Host name '*ip-172-31-33-37.ec2.internal*' does not match the certificate
subject provided by the peer (CN=*ip-172-31-33-37.ec2.internal*, OU=LZ,
O=LZS, L=Jessup, ST=Maryland, C=US)
{quote}
The exception thrown by the code under discussion should differentiate between
the reasons the verification failed so a more helpful error message can be
displayed to the user/in the logs.
See [RFC 2818|https://tools.ietf.org/html/rfc2818#section-3] for more
information.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
