Re: 1.11.3 trust store error

The nifi.security.keyPasswd was not filled in, so it looked like this (which is the default configuration): nifi.security.keyPasswd= On Wed, Mar 4, 2020 at 11:36 AM Endre Kovacs wrote: > Hi Nathan, > > There is already a ticket about this: > https://issues.apache.org/jira/browse/NIFI-7219 > >

Re: 1.11.3 trust store error

Hi Nathan, There is already a ticket about this: https://issues.apache.org/jira/browse/NIFI-7219 Best regards, Endre Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, March 4, 2020 5:25 PM, Nathan Gough wrote: > I've opened

Re: 1.11.3 trust store error

I've opened https://issues.apache.org/jira/browse/NIFI-7223 to track and I'm working on a fix for this. Nathan On Tue, Mar 3, 2020 at 6:17 PM Nathan Gough wrote: > Hi Joe, > > Just to confirm here - was the nifi.security.keyPasswd not defined at all > in your nifi.properties? Did you have to

Re: 1.11.3 trust store error

Hi Joe, Just to confirm here - was the nifi.security.keyPasswd not defined at all in your nifi.properties? Did you have to add the property and give it the correct value? Or was it in the nifi.properties file but blank? Or were the keyPasswd and keystorePasswd different values? Thanks, Nathan

Re: 1.11.3 trust store error

Yep, setting the nifi.security.keyPasswd to the same as nifi.security.keystorePasswd fixed it. Thanks for the insight, Endre! On Tue, Mar 3, 2020 at 2:01 PM Joe Witt wrote: > relevant change I believe is here: > > https://github.com/apache/nifi/commit/46d3b6b0dc28f04da124be7685f82bec52e88775 >

Re: 1.11.3 trust store error

relevant change I believe is here: https://github.com/apache/nifi/commit/46d3b6b0dc28f04da124be7685f82bec52e88775 and is from https://issues.apache.org/jira/browse/NIFI-6927 It *looks* to me like this was fixing an improper naming/usage issue that has been present but if so we probably should

Re: 1.11.3 trust store error

If accurateWe need to look into whether this was a mistake and fix it if so. And we need to reflect this in the migration guide On Tue, Mar 3, 2020 at 4:40 AM Ryan Ward wrote: > Endre - thanks that was it > > On Tue, Mar 3, 2020 at 6:50 AM Endre Kovacs > wrote: > > > Hi, > > > > One

Re: 1.11.3 trust store error

Endre - thanks that was it On Tue, Mar 3, 2020 at 6:50 AM Endre Kovacs wrote: > Hi, > > One additional thing: > > we encountered something strange as well: > > on 1.11.2 clustered, kerberized: request replication worked well. > > on 1.11.3 clustered, kerberized: request replication did not

Re: 1.11.3 trust store error

Hi, One additional thing: we encountered something strange as well: on 1.11.2 clustered, kerberized: request replication worked well. on 1.11.3 clustered, kerberized: request replication did not work, unless you specify, and set nifi.security.keyPasswd to the very same password as the

Re: 1.11.3 trust store error

Hi Joe - Did you resolve your issue? If so I am wondering what the fix was as I'm seeing the same error on my cluster. On Thu, Feb 27, 2020 at 3:13 AM Endre Kovacs wrote: > Hi Joe, > > 1. Have you tried connecting/debugging with openssl? From one pod to the > other: > (openssl s_client

Re: 1.11.3 trust store error

Hi Joe, 1. Have you tried connecting/debugging with openssl? From one pod to the other: (openssl s_client -debug -CAfile ca-bundle-signing-node-certificates.crt -cert my-client-cert.crt -connect nifi-3.nifi-headless.lizardspock.svc.cluster.local:6007) 2. certs can also be verified by:

Re: 1.11.3 trust store error

You can post them on a temporary file sharing service, post them in the Apache NiFi Slack [1], or email them to me directly at alopre...@apache.org . The mailing list software tends to strip attachments. [1] https://apachenifi.slack.com

Re: 1.11.3 trust store error

Good question -- I can't share these keystores and truststores, but I'll see if I can generate some test ones tomorrow. How should I send them to you? On Wed, Feb 26, 2020 at 8:01 PM Andy LoPresto wrote: > Joe, > > Can you share the keystores and truststores you are using? I understand > the

Re: 1.11.3 trust store error

Joe, Can you share the keystores and truststores you are using? I understand the issue you’re encountering but we haven’t yet been able to reproduce it locally running with certs that work on 1.11.1. Please DO NOT share actual keystores if they contain real private keys, only if these are dev

Re: 1.11.3 trust store error

Ok, I added all the server certs and my administrator's client cert to the trust store, and they all still got PKIX path building failed. So I redeployed nifi 1.11.1, and now it works again. Joe On Wed, Feb 26, 2020 at 6:21 PM Joe Gresock wrote: > Yes, on Kubernetes. > > FWIW, I do see

Re: 1.11.3 trust store error

Yes, on Kubernetes. FWIW, I do see changes to nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java involving a new function createTrustSslContextWithTrustManagers(), among other related changes. I'm going to try directly adding the client certs to

Re: 1.11.3 trust store error

on kubernetes is a key detail here too... On Wed, Feb 26, 2020 at 10:01 AM Joe Gresock wrote: > Java 8 > > On Wed, Feb 26, 2020 at 5:59 PM Nathan Gough wrote: > > > Hi Joe, > > > > I just set up a secure cluster with NiFi 1.11.3 and am not seeing any > > issues like you describe. > > > > Are

Re: 1.11.3 trust store error

Java 8 On Wed, Feb 26, 2020 at 5:59 PM Nathan Gough wrote: > Hi Joe, > > I just set up a secure cluster with NiFi 1.11.3 and am not seeing any > issues like you describe. > > Are you running Java 8 or Java 11? > > Nathan > > On Wed, Feb 26, 2020 at 12:22 PM Joe Gresock wrote: > > > Were there

Re: 1.11.3 trust store error

Hi Joe, I just set up a secure cluster with NiFi 1.11.3 and am not seeing any issues like you describe. Are you running Java 8 or Java 11? Nathan On Wed, Feb 26, 2020 at 12:22 PM Joe Gresock wrote: > Were there any changes with how the trust store is used in 1.11.3? I had a > 1.11.0

1.11.3 trust store error

Were there any changes with how the trust store is used in 1.11.3? I had a 1.11.0 deployment working with the following settings, but when I deployed 1.11.3, the cluster can't seem to replicate requests to itself: nifi.remote.input.host= nifi.remote.input.secure=true