[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs

Mon, 09 Jul 2018 23:19:03 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16538093#comment-16538093
 ] 

Prashanth Venkatesan commented on NIFI-5370:
--------------------------------------------

[~alopresto] Reason behind going towards wildcarded certs was to handle the 
dynamic scaling easily especially in containerised environment(say DCOS, 
Kubernetes, etc). To my knowledge in NiFi, if we are using uniquely identified 
certificates we have to add 'Initial User Identity' and 'Node Identity' in 
*authorizers.xml* file for every new node in cluster. So if we are scaling out  
we have to update the authorizers.xml file in all nodes that results in restart 
of existing nodes. Also in-case of multi node cluster, managing multiple 
uniquely identified certificates is bit difficult. 

> Cluster request replication failing with wildcard certs
> -------------------------------------------------------
>
>                 Key: NIFI-5370
>                 URL: https://issues.apache.org/jira/browse/NIFI-5370
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 1.7.0
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>            Priority: Major
>              Labels: certificate, cluster, security, tls, wildcard
>
> From the users mailing list:
> {quote}
> Team,
>  
> NiFi secured cluster throws below error with wildcarded self-signed 
> standalone certificate.  Just a brief background, we are deploying nifi in 
> Kubernetes  where we have to use wildcarded certificates. Till nifi 1.6.0, it 
> was working fine.
> Also I tried bringing up NiFi in linux VM in secured cluster mode with 
> wildcarded certs, I am getting same error.
>  
> Toolkit command to generate certs:
> bin/tls-toolkit.sh standalone -n 
> '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o 
> <targetfolder>
>  
> Logs:
> 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] 
> o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET 
> /nifi-api/flow/current-user to 
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to 
> javax.net.ssl.SSLPeerUnverifiedException: Hostname 
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:
>     certificate: sha256/########################################
>     DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI
>     subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]
> 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] 
> o.a.n.c.c.h.r.ThreadPoolRequestReplicator
> javax.net.ssl.SSLPeerUnverifiedException: Hostname 
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:
>     certificate: sha256/########################################
>     DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI
>     subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]
>         at 
> okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316)
>  
> Please help me in resolving this.
>  
> Note: Same certificates is working for single mode setup.
> {quote}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to