Nathan Gough created NIFI-6561:
----------------------------------
Summary: Certificate compatibility broken for JDK8 build running
on JRE11
Key: NIFI-6561
URL: https://issues.apache.org/jira/browse/NIFI-6561
Project: Apache NiFi
Issue Type: Improvement
Components: Security
Affects Versions: 1.10.0
Reporter: Nathan Gough
When testing Java 11 build compatibility, I found an issue with TLS
certificates when using a remote process group looped back to an input port on
the same cluster. The same certificates were used for JDK8/JRE8, JDK8/JRE11,
JDK11/JRE11 ie. they contained relevant SAN entries in each case.
*Building on JDK 1.8.0_172 and run on JRE11.0.5+10 caused exceptions when
attempting to send to local input port with RPG*:
{{}}
{code:java}
2019-08-13 18:17:07,946 WARN [Http Site-to-Site PeerSelector]
o.apache.nifi.remote.client.PeerSelector Could not communicate with
natog0.com:9551 to determine which nodes exist in the remote NiFi cluster, due
to javax.net.ssl.SSLPeerUnverifiedException: Certificate for <natog0.com>
doesn't match any of the subject alternative names: [natog1.com] 2019-08-13
18:17:07,946 WARN [Http Site-to-Site PeerSelector]
o.apache.nifi.remote.client.PeerSelector
org.apache.nifi.remote.client.PeerSelector@6d5e02f8 Unable to refresh Remote
Group's peers due to Unable to communicate with remote NiFi cluster in order to
determine which nodes exist in the remote cluster{code}
But did not see this error on the matching builds (JDK8/JRE8, JDK11/JRE11).
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
