AnthonyMastrean edited a comment on issue #3266: NIFI-5955 add a Docker HEALTHCHECK URL: https://github.com/apache/nifi/pull/3266#issuecomment-467158042 So, back on the TLS thread. I can create certs/truststores using the toolkit script in a temporary Docker container with a volume mounted to capture the files on my host for the _next_ run (weird quoting is to make PowerShell happy)... ``` PS> docker run --rm -v "$($pwd)/.nifi:/nifi" --entrypoint /opt/nifi/nifi-toolkit-current/bin/tls-toolkit.sh apache/nifi:1.8.0 standalone -n localhost -C 'CN=admin,OU=NIFI' -O -o /nifi 2019/02/25 19:50:23 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one. 2019/02/25 19:50:23 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory /nifi 2019/02/25 19:50:23 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=localhost,OU=NIFI 2019/02/25 19:50:23 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=localhost,OU=NIFI signature with CN=localhost,OU=NIFI 2019/02/25 19:50:23 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate was signed by CN=localhost,OU=NIFI 2019/02/25 19:50:23 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate /nifi/nifi-cert.pem and key /nifi/nifi-key.key 2019/02/25 19:50:23 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Overwriting any existing ssl configuration in /nifi/localhost 2019/02/25 19:50:24 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for localhost 1 in /nifi/localhost 2019/02/25 19:50:24 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Overwriting existing client cert /nifi/CN=admin_OU=NIFI.p12 2019/02/25 19:50:24 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated client certificate /nifi/CN=admin_OU=NIFI.p12 2019/02/25 19:50:24 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully ``` I can use this info for _most_ of the environment variables described in [the documentation](https://github.com/apache/nifi/tree/master/nifi-docker/dockerhub#standalone-instance-two-way-ssl). ``` PS> ls -rec .\.nifi\ Directory: C:\Users\anthony\.nifi Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2/25/2019 2:45 PM localhost -a---- 2/25/2019 2:45 PM 3437 CN=admin_OU=NIFI.p12 -a---- 2/25/2019 2:45 PM 43 CN=admin_OU=NIFI.password -a---- 2/25/2019 1:08 PM 1200 nifi-cert.pem -a---- 2/25/2019 1:08 PM 1675 nifi-key.key Directory: C:\Users\anthony\.nifi\localhost Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2/25/2019 2:45 PM 3075 keystore.jks -a---- 2/25/2019 2:45 PM 11403 nifi.properties -a---- 2/25/2019 2:45 PM 911 truststore.jks ``` Except, I don't know what the truststore passwords are! The [toolkit documentation](https://github.com/apache/nifi/blob/c5c2b308ed4653b79ec303977b811ef90a0c49c1/nifi-docs/src/main/asciidoc/toolkit-guide.adoc#operation-modes) says the password will be auto-generated if you leave off the password parameters. > (auto-generate if not specified) I don't see the password in the toolkit output and I'm not sure if it's the same as the `.password` file. I'm going to try it, for now. ``` PS> docker run --name nifi ` -v "$($pwd)/.nifi/localhost:/opt/certs" ` -p 8443:8443 ` -e AUTH=tls ` -e KEYSTORE_PATH=/opt/certs/keystore.jks ` -e KEYSTORE_TYPE=JKS ` -e KEYSTORE_PASSWORD=(cat .\.nifi\CN=admin_OU=NIFI.password)` -e TRUSTSTORE_PATH=/opt/certs/truststore.jks ` -e TRUSTSTORE_TYPE=JKS ` -e TRUSTSTORE_PASSWORD=(cat .\.nifi\CN=admin_OU=NIFI.password) ` -e INITIAL_ADMIN_IDENTITY='CN=admin,OU=NIFI' ` -d ` apache/nifi:1.8.0 ``` No good. ``` Caused by: java.security.UnrecoverableKeyException: Password verification failed ```
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
