[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs
[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16662388#comment-16662388 ] alfredo commented on NIFI-5370: --- hi all i am deploying a nifi cluster secured using the docker image for nifi version 1.7.1 and still facing same problem, maybe im forgetting to do some configuration? kind regards, > Cluster request replication failing with wildcard certs > --- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.7.0 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: certificate, cluster, security, tls, wildcard > Fix For: 1.8.0, 1.7.1 > > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs
[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16545455#comment-16545455 ] Andy LoPresto commented on NIFI-5370: - [~prashanv] yes, there are multiple ways to avoid/correct the behavior you are seeing here. The error appears because the certificate authority (CA) you are using to sign one set of certs is not the same as the one that signs the next set. The toolkit generates a truststore which contains that CA to allow for cross-node verification. In order for all nodes (added at different times) to verify each other, they must have all the CAs used in every truststore -- this can be accomplished by signing all certs with the same CA, or adding multiple CAs to the same truststore. 1. Run the TLS toolkit from the same directory and use the same output directory. On the first run, the TLS toolkit will create a CA if one is not present, and store the public key in {{nifi-cert.pem}} and the private key in {{nifi-key.key}}. On subsequent runs, the toolkit will detect that a CA is present and use it to sign the additional certs. 1. Run the TLS toolkit in an arbitrary location, and import the newly-generated {{nifi-cert.pem}} into the already existing {{truststore.jks}} deployed on the existing nodes. You will also need to import the original {{nifi-cert.pem}} into the *new* {{truststore.jks}} for the new node. 1. Run the TLS toolkit in *server* mode on an instance, and have the other nodes connect using *client* mode to receive their certificates. These certs will all be signed by the same CA, and new nodes can come online and have certs generated whenever you like. The *server* component runs indefinitely. More details on all of this are available in the [Admin Guide|https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit]. If you have further questions, I would recommend asking on the *us...@nifi.apache.org* mailing list, as this issue is closed and community members are unlikely to see future comments here. > Cluster request replication failing with wildcard certs > --- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.7.0 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: certificate, cluster, security, tls, wildcard > Fix For: 1.8.0, 1.7.1 > > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs
[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16544903#comment-16544903 ] Prashanth Venkatesan commented on NIFI-5370: [~alopresto] I understand your point on adding new user via NiFi UI/API. I experimented this in NiFi VM cluster. But I am facing the below general problem. Assume I have initially 2 nodes (say nifi-node-1 & nifi-node-2), I create certs using _"tls-toolkit.sh -n 'nifi-node-1,nifi-node-2' "._ **Now I am scaling out to 3 nodes (say nifi-node-3) , now if regenerate the certs for 3 nodes using tls-toolkit , then new nodes can't validate the other 2 nodes in cluster giving *"java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors".* Do you have any resolution for handling this scenario without wildcarded certs? > Cluster request replication failing with wildcard certs > --- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.7.0 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: certificate, cluster, security, tls, wildcard > Fix For: 1.8.0, 1.7.1 > > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs
[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16540978#comment-16540978 ] ASF subversion and git services commented on NIFI-5370: --- Commit 76b82e23a16a3ca0b2556d5d3f54140f446c0d9d in nifi's branch refs/heads/support/nifi-1.7.x from [~alopresto] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=76b82e2 ] NIFI-5370 removed custom hostname verifier implementation from OkHttpReplicationClient (default handles wildcard certs). This closes #2869. Signed-off-by: Mark Payne > Cluster request replication failing with wildcard certs > --- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.7.0 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: certificate, cluster, security, tls, wildcard > Fix For: 1.8.0, 1.7.1 > > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs
[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16539026#comment-16539026 ] Andy LoPresto commented on NIFI-5370: - [~prashanv] I understand why it would be easier to deploy in a horizontally-scaling environment with a single wildcard cert. I'm sympathetic to those needs, but that doesn't mean wildcard certs are supported now because of the issues I outlined above. There are follow-on efforts to improve the usability with wildcard certificates. That said, the issues you are encountering have better solutions right now: * "To my knowledge in NiFi, if we are using uniquely identified certificates we have to add 'Initial User Identity' and 'Node Identity' in authorizers.xml file for every new node in cluster. So if we are scaling out we have to update the authorizers.xml file in all nodes that results in restart of existing nodes" -- you need to prepopulate the {{authorizers.xml}} with the node identities when you first start a cluster, but I believe you can scale the cluster out without restarting any running nodes. To do this, simply add a new user via the NiFi UI/API with the DN of the node hostname, and be sure to give it {{W}} permission on the {{/proxy}} resource. This is what the {{FileAccessPolicyProvider}} does during startup (see [FileAccessPolicyProvider#605|https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java#L605]). In this way, you should be able to add new nodes to the cluster without restarting existing nodes. If you run into issues with this, please open a new Jira against 1.8+ describing what you're doing and the actual result vs. expected result. We can improve the documentation in the Admin Guide to help people understand this process. > Cluster request replication failing with wildcard certs > --- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.7.0 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: certificate, cluster, security, tls, wildcard > Fix For: 1.8.0 > > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs
[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16538514#comment-16538514 ] ASF GitHub Bot commented on NIFI-5370: -- Github user markap14 commented on the issue: https://github.com/apache/nifi/pull/2869 @alopresto Thanks. The code change makes sense. Was able to verify behavior. I definitely agree with your assessment above for the pros and cons of wildcard certs. +1 merged to master > Cluster request replication failing with wildcard certs > --- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.7.0 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: certificate, cluster, security, tls, wildcard > Fix For: 1.8.0 > > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs
[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16538513#comment-16538513 ] ASF GitHub Bot commented on NIFI-5370: -- Github user asfgit closed the pull request at: https://github.com/apache/nifi/pull/2869 > Cluster request replication failing with wildcard certs > --- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.7.0 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: certificate, cluster, security, tls, wildcard > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs
[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16538512#comment-16538512 ] ASF subversion and git services commented on NIFI-5370: --- Commit 3ef8b4ab8d732af9af4fbdb9d6df407af6481993 in nifi's branch refs/heads/master from [~alopresto] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=3ef8b4a ] NIFI-5370 removed custom hostname verifier implementation from OkHttpReplicationClient (default handles wildcard certs). This closes #2869. Signed-off-by: Mark Payne > Cluster request replication failing with wildcard certs > --- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.7.0 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: certificate, cluster, security, tls, wildcard > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs
[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16538093#comment-16538093 ] Prashanth Venkatesan commented on NIFI-5370: [~alopresto] Reason behind going towards wildcarded certs was to handle the dynamic scaling easily especially in containerised environment(say DCOS, Kubernetes, etc). To my knowledge in NiFi, if we are using uniquely identified certificates we have to add 'Initial User Identity' and 'Node Identity' in *authorizers.xml* file for every new node in cluster. So if we are scaling out we have to update the authorizers.xml file in all nodes that results in restart of existing nodes. Also in-case of multi node cluster, managing multiple uniquely identified certificates is bit difficult. > Cluster request replication failing with wildcard certs > --- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.7.0 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: certificate, cluster, security, tls, wildcard > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs
[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16537851#comment-16537851 ] ASF GitHub Bot commented on NIFI-5370: -- Github user alopresto commented on the issue: https://github.com/apache/nifi/pull/2869 This PR is to resolve the user-reported issue in [NIFI-5370](https://issues.apache.org/jira/browse/NIFI-5370) where a secure cluster with nodes using wildcard certificates would not allow UI login. The issue was because the introduced `NiFiHostnameVerifier` did not evaluate wildcard entries properly. This patch fixes the immediate issue. **However**, wildcard certificates are not officially supported and are **not recommended** for use in a secure cluster environment. There are numerous disadvantages to using wildcard certificates, they have been actively discouraged in the past, and have worked to this point only out of luck. The Admin Guide will be updated to state this explicitly [NIFI-5399](https://issues.apache.org/jira/browse/NIFI-5399). Disadvantages of wildcard certificates for cluster: * we use certificate identities many times throughout the codebase to identify a node, and if the certificate simply presents a wildcard DN, that doesn’t resolve to anything (see [NIFI-5398](https://issues.apache.org/jira/browse/NIFI-5398)) * you need to provide a custom node identity in your `authorizers.xml` for `*.whatever.com` because all proxy actions only resolve to the cert DN * no traceability into which node performed an action because they all resolve to the same DN * if you’re running multiple instances on the same machine using different ports to identify them, and you accidentally put `node1` hostname with `node2` port, it will resolve fine because it’s using the same certificate, but the host header handler will block it because the `node1` hostname is not listed as an acceptable `host` for `node2` instance (correctly) * if the cert is compromised, all nodes are compromised Advantages of wildcard certificates for cluster: * nominally faster to deploy in dynamically-scaled clusters, however the NiFi TLS Toolkit automates the process of generating correctly-signed, uniquely-identified certificates in the proper format. The deployment script or process for adding a node should leverage this tool rather than use a repeated wildcard certificate. Using a wildcard in the SAN is fine as long as a unique value exists in the SAN as well. > Cluster request replication failing with wildcard certs > --- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.7.0 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: certificate, cluster, security, tls, wildcard > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA
[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs
[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16537849#comment-16537849 ] ASF GitHub Bot commented on NIFI-5370: -- Github user alopresto commented on the issue: https://github.com/apache/nifi/pull/2869 This is now ready for review. Ignore the whitespace only changes on `AbstractNodeProtocolSender`. > Cluster request replication failing with wildcard certs > --- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.7.0 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: certificate, cluster, security, tls, wildcard > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs
[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16537840#comment-16537840 ] ASF GitHub Bot commented on NIFI-5370: -- Github user alopresto commented on the issue: https://github.com/apache/nifi/pull/2869 Travis succeeded on #9706.1 (EN) and #9706.3 (JP) but failed on #9706.2 (FR). This means the failing unit tests are not related to this build. > Cluster request replication failing with wildcard certs > --- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.7.0 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: certificate, cluster, security, tls, wildcard > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs
[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16537819#comment-16537819 ] ASF GitHub Bot commented on NIFI-5370: -- Github user alopresto commented on the issue: https://github.com/apache/nifi/pull/2869 This PR is not ready for review yet. I opened it because some unrelated tests were failing locally and I wanted to see the Travis CI results. > Cluster request replication failing with wildcard certs > --- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.7.0 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: certificate, cluster, security, tls, wildcard > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs
[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16537802#comment-16537802 ] ASF GitHub Bot commented on NIFI-5370: -- GitHub user alopresto opened a pull request: https://github.com/apache/nifi/pull/2869 NIFI-5370 Resolve wildcard certificate issue in secure cluster Thank you for submitting a contribution to Apache NiFi. In order to streamline the review of the contribution we ask you to ensure the following steps have been taken: ### For all changes: - [x] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [x] Does your PR title start with NIFI- where is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [x] Has your PR been rebased against the latest commit within the target branch (typically master)? - [ ] Is your initial contribution a single, squashed commit? ### For code changes: - [ ] Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder? - [ ] Have you written or updated unit tests to verify your changes? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly? - [ ] If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly? - [ ] If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties? ### For documentation related changes: - [ ] Have you ensured that format looks appropriate for the output in which it is rendered? ### Note: Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible. You can merge this pull request into a Git repository by running: $ git pull https://github.com/alopresto/nifi NIFI-5370 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/2869.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2869 commit 1cea24f8a43ea5b8749af179e61a87baed1ab355 Author: Andy LoPresto Date: 2018-07-07T05:07:46Z NIFI-5370 [WIP] Trying to resolve wildcard cert errors in cluster comms. commit 226cad359385235ef93424acc26b98e9d0d35696 Author: Andy LoPresto Date: 2018-07-09T18:42:40Z NIFI-5370 [WIP] Refactored AbstractNodeProtocolSender to de-duplicate marshalling/unmarshalling of protocol messages. commit 89897813d01cbf1a0dbac1779090d93261b3a1e0 Author: Andy LoPresto Date: 2018-07-09T20:12:54Z NIFI-5370 Removed NiFiHostnameVerifier test. Restored custom trustmanager loading but removed custom hostname verifier implementation from OkHttpReplicationClient (default handles wildcard certs). > Cluster request replication failing with wildcard certs > --- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.7.0 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: certificate, cluster, security, tls, wildcard > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames:
[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs
[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16534777#comment-16534777 ] Ramon Havermans commented on NIFI-5370: --- Same with us, for now fixed it with whole list of possibilities, but scaling will be bad. > Cluster request replication failing with wildcard certs > --- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.7.0 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: certificate, cluster, security, tls, wildcard > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs
[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16533589#comment-16533589 ] Josef Zahner commented on NIFI-5370: Hi guys, I'm facing exact the same issue here, I'm coming from NiFi 1.5.0 and just upgraded to 1.7.0. We are using wildcard certificates signed by our internal root CA. The keystore/truststore works fine for LDAP login and in standalone mode. however as soon as I'm enabling clustering I'm getting the message below. *Webgui Message:* {code:java} An unexpected error has occurred javax.net.ssl.SSLPeerUnverifiedException: Hostname i-li-nifi-97.bblab.ch not verified: certificate: sha256/14+aCYShEsw59mYdkVr/nuUIILI8e9tJksJtfNff3H0= DN: CN=Apache NiFi, OU=OL, O=AG, L=nowhere, ST=d, C=CH subjectAltNames: [*.bblab.ch] {code} *nifi-app.log* {code:java} 2018-07-05 12:08:40,705 WARN [Replicate Request Thread-1] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/flow/current-user to i-li-nifi-97.bblab.ch:8443 due to javax.net.ssl.SSLPeerUnverifiedException: Hostname i-li-nifi-97.bblab.ch not verified: certificate: sha256/14+aCYShEsw59mYdkVr/nuUIILI8e9tJksJtfNff3H0= DN: CN=Apache NiFi, OU=OL, O=AG, L=nowhere, ST=d, C=CH subjectAltNames: [*.bblab.ch] 2018-07-05 12:08:40,712 WARN [Replicate Request Thread-1] o.a.n.c.c.h.r.ThreadPoolRequestReplicator javax.net.ssl.SSLPeerUnverifiedException: Hostname i-li-nifi-97.bblab.ch not verified: certificate: sha256/14+aCYShEsw59mYdkVr/nuUIILI8e9tJksJtfNff3H0= DN: CN=Apache NiFi, OU=OL, O=AG, L=nowhere, ST=d, C=CH subjectAltNames: [*.bblab.ch] {code} This is a major issue for us. Thanks in advance. > Cluster request replication failing with wildcard certs > --- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.7.0 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: certificate, cluster, security, tls, wildcard > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (NIFI-5370) Cluster request replication failing with wildcard certs
[ https://issues.apache.org/jira/browse/NIFI-5370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16533587#comment-16533587 ] Prashanth Venkatesan commented on NIFI-5370: Just want to add few more point to this issue. [~alopresto] - From [[NiFiHostVerifier|https://github.com/apache/nifi/blob/master/nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/util/NiFiHostnameVerifier.java]|https://github.com/apache/nifi/blob/master/nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/util/NiFiHostnameVerifier.java] , i can infer that it will either validated when CN equals hostname or SAN should contain hostname. Hence wildcarded certs without SAN is not verified. But in my case, i need to use wildcard certificates. > Cluster request replication failing with wildcard certs > --- > > Key: NIFI-5370 > URL: https://issues.apache.org/jira/browse/NIFI-5370 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework >Affects Versions: 1.7.0 >Reporter: Andy LoPresto >Assignee: Andy LoPresto >Priority: Major > Labels: certificate, cluster, security, tls, wildcard > > From the users mailing list: > {quote} > Team, > > NiFi secured cluster throws below error with wildcarded self-signed > standalone certificate. Just a brief background, we are deploying nifi in > Kubernetes where we have to use wildcarded certificates. Till nifi 1.6.0, it > was working fine. > Also I tried bringing up NiFi in linux VM in secured cluster mode with > wildcarded certs, I am getting same error. > > Toolkit command to generate certs: > bin/tls-toolkit.sh standalone -n > '*.mynifi-nifi-headless.default.svc.cluster.local’ -C 'CN=admin, OU=NIFI' -o > > > Logs: > 2018-07-02 12:40:32,369 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET > /nifi-api/flow/current-user to > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local:8443 due to > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > 2018-07-02 12:40:32,370 WARN [Replicate Request Thread-1] > o.a.n.c.c.h.r.ThreadPoolRequestReplicator > javax.net.ssl.SSLPeerUnverifiedException: Hostname > mynifi-nifi-1.mynifi-nifi-headless.default.svc.cluster.local not verified: > certificate: sha256/ > DN: CN=*.mynifi-nifi-headless.default.svc.cluster.local, OU=NIFI > subjectAltNames: [*.mynifi-nifi-headless.default.svc.cluster.local] > at > okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316) > > Please help me in resolving this. > > Note: Same certificates is working for single mode setup. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)