[jira] [Comment Edited] (NIFI-5370) Cluster request replication failing with wildcard certs

Thu, 05 Jul 2018 05:27:16 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16533587#comment-16533587
 ] 

Prashanth Venkatesan edited comment on NIFI-5370 at 7/5/18 12:26 PM:
---------------------------------------------------------------------

Just want to add few more point to this issue. [~alopresto]  - From 
[NiFiHostVerifier|https://github.com/apache/nifi/blob/master/nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/util/NiFiHostnameVerifier.java]
 , i can infer that it will either validated when CN equals hostname or SAN 
should contain hostname. Hence wildcarded certs without SAN is not verified.  
But in my case, i need to use wildcard certificates.


was (Author: prashanv):
Just want to add few more point to this issue. [~alopresto]  - From 
[[NiFiHostVerifier|https://github.com/apache/nifi/blob/master/nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/util/NiFiHostnameVerifier.java]|https://github.com/apache/nifi/blob/master/nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/util/NiFiHostnameVerifier.java]
 , i can infer that it will either validated when CN equals hostname or SAN 
should contain hostname. Hence wildcarded certs without SAN is not verified.  
But in my case, i need to use wildcard certificates.

> Cluster request replication failing with wildcard certs
> -------------------------------------------------------
>
>                 Key: NIFI-5370
>                 URL: https://issues.apache.org/jira/browse/NIFI-5370
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 1.7.0
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>            Priority: Major
>              Labels: certificate, cluster, security, tls, wildcard
>
> From the users mailing list:
> {quote}
> Team,
>  
> NiFi secured cluster throws below error with wildcarded self-signed 
> standalone certificate.  Just a brief background, we are deploying nifi in 
> Kubernetes  where we have to use wildcarded certificates. Till nifi 1.6.0, it 
> was working fine.
> Also I tried bringing up NiFi in linux VM in secured cluster mode with 
> wildcarded certs, I am getting same error.
>  
> Toolkit command to generate certs:
> bin/tls-toolkit.sh standalone -n 
> '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o 
> <targetfolder>
>  
> Logs:
> 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] 
> o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET 
> /nifi-api/flow/current-user to 
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to 
> javax.net.ssl.SSLPeerUnverifiedException: Hostname 
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:
>     certificate: sha256/########################################
>     DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI
>     subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]
> 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] 
> o.a.n.c.c.h.r.ThreadPoolRequestReplicator
> javax.net.ssl.SSLPeerUnverifiedException: Hostname 
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:
>     certificate: sha256/########################################
>     DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI
>     subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]
>         at 
> okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316)
>  
> Please help me in resolving this.
>  
> Note: Same certificates is working for single mode setup.
> {quote}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to