[
https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16539026#comment-16539026
]
Andy LoPresto commented on NIFI-5370:
-------------------------------------
[~prashanv] I understand why it would be easier to deploy in a
horizontally-scaling environment with a single wildcard cert. I'm sympathetic
to those needs, but that doesn't mean wildcard certs are supported now because
of the issues I outlined above. There are follow-on efforts to improve the
usability with wildcard certificates.
That said, the issues you are encountering have better solutions right now:
* "To my knowledge in NiFi, if we are using uniquely identified certificates we
have to add 'Initial User Identity' and 'Node Identity' in authorizers.xml file
for every new node in cluster. So if we are scaling out we have to update the
authorizers.xml file in all nodes that results in restart of existing nodes" --
you need to prepopulate the {{authorizers.xml}} with the node identities when
you first start a cluster, but I believe you can scale the cluster out without
restarting any running nodes. To do this, simply add a new user via the NiFi
UI/API with the DN of the node hostname, and be sure to give it {{W}}
permission on the {{/proxy}} resource. This is what the
{{FileAccessPolicyProvider}} does during startup (see
[FileAccessPolicyProvider#605|https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java#L605]).
In this way, you should be able to add new nodes to the cluster without
restarting existing nodes. If you run into issues with this, please open a new
Jira against 1.8+ describing what you're doing and the actual result vs.
expected result. We can improve the documentation in the Admin Guide to help
people understand this process.
> Cluster request replication failing with wildcard certs
> -------------------------------------------------------
>
> Key: NIFI-5370
> URL: https://issues.apache.org/jira/browse/NIFI-5370
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.7.0
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Priority: Major
> Labels: certificate, cluster, security, tls, wildcard
> Fix For: 1.8.0
>
>
> From the users mailing list:
> {quote}
> Team,
>
> NiFi secured cluster throws below error with wildcarded self-signed
> standalone certificate. Just a brief background, we are deploying nifi in
> Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it
> was working fine.
> Also I tried bringing up NiFi in linux VM in secured cluster mode with
> wildcarded certs, I am getting same error.
>
> Toolkit command to generate certs:
> bin/tls-toolkit.sh standalone -n
> '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o
> <targetfolder>
>
> Logs:
> 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1]
> o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET
> /nifi-api/flow/current-user to
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to
> javax.net.ssl.SSLPeerUnverifiedException: Hostname
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:
> certificate: sha256/########################################
> DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI
> subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]
> 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1]
> o.a.n.c.c.h.r.ThreadPoolRequestReplicator
> javax.net.ssl.SSLPeerUnverifiedException: Hostname
> mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified:
> certificate: sha256/########################################
> DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI
> subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local]
> at
> okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316)
>
> Please help me in resolving this.
>
> Note: Same certificates is working for single mode setup.
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
