[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16537802#comment-16537802 ]
ASF GitHub Bot commented on NIFI-5370: -------------------------------------- GitHub user alopresto opened a pull request: https://github.com/apache/nifi/pull/2869 NIFI-5370 Resolve wildcard certificate issue in secure cluster Thank you for submitting a contribution to Apache NiFi. In order to streamline the review of the contribution we ask you to ensure the following steps have been taken: ### For all changes: - [x] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [x] Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [x] Has your PR been rebased against the latest commit within the target branch (typically master)? - [ ] Is your initial contribution a single, squashed commit? ### For code changes: - [ ] Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder? - [ ] Have you written or updated unit tests to verify your changes? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly? - [ ] If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly? - [ ] If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties? ### For documentation related changes: - [ ] Have you ensured that format looks appropriate for the output in which it is rendered? ### Note: Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible. You can merge this pull request into a Git repository by running: $ git pull https://github.com/alopresto/nifi NIFI-5370 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/2869.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2869 ---- commit 1cea24f8a43ea5b8749af179e61a87baed1ab355 Author: Andy LoPresto <alopresto@...> Date: 2018-07-07T05:07:46Z NIFI-5370 [WIP] Trying to resolve wildcard cert errors in cluster comms. commit 226cad359385235ef93424acc26b98e9d0d35696 Author: Andy LoPresto <alopresto@...> Date: 2018-07-09T18:42:40Z NIFI-5370 [WIP] Refactored AbstractNodeProtocolSender to de-duplicate marshalling/unmarshalling of protocol messages. commit 89897813d01cbf1a0dbac1779090d93261b3a1e0 Author: Andy LoPresto <alopresto@...> Date: 2018-07-09T20:12:54Z NIFI-5370 Removed NiFiHostnameVerifier test. Restored custom trustmanager loading but removed custom hostname verifier implementation from OkHttpReplicationClient (default handles wildcard certs). ---- > Cluster request replication failing with wildcard certs > ------------------------------------------------------- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework > Affects Versions: 1.7.0 > Reporter: Andy LoPresto > Assignee: Andy LoPresto > Priority: Major > Labels: certificate, cluster, security, tls, wildcard > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > <targetfolder> > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/######################################## > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/######################################## > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)