[jira] [Commented] (NIFI-7756) NIFI 1.12.0 doesn't work with wildcard certificates
[
https://issues.apache.org/jira/browse/NIFI-7756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17188911#comment-17188911
]
Andy LoPresto commented on NIFI-7756:
-
I'm marking this as closed. As Pierre points out, true wildcard certs are not
supported, and certificates with multiple SAN or keystores with multiple certs
are supported and the regression in NIFI-7730 has been resolved.
> NIFI 1.12.0 doesn't work with wildcard certificates
> ---
>
> Key: NIFI-7756
> URL: https://issues.apache.org/jira/browse/NIFI-7756
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework, Security
>Affects Versions: 1.12.0
>Reporter: Heinz Mayer
>Assignee: Andy LoPresto
>Priority: Major
>
> After Upgrade to NIFI 1.12.0, NIFI doesn't start anymore
> The same keystore works with NIFI 1.11.4
> {code:java}
> 2020-08-21 07:52:21,462 INFO [main] o.e.jetty.util.ssl.SslContextFactory
> x509=X509@2559c968(tomcat,h=[mic.co.at],w=[mic.co.at]) for
> SslContextFactory@37f3a1a0[provider=null,keyStore=file:///opt/nifi/conf/keystore.jks,trustStore=file:///opt/nifi/conf/keystore.jks]2020-08-21
> 07:52:21,462 INFO [main] o.e.jetty.util.ssl.SslContextFactory
> x509=X509@2559c968(tomcat,h=[mic.co.at],w=[mic.co.at]) for
> SslContextFactory@37f3a1a0[provider=null,keyStore=file:///opt/nifi/conf/keystore.jks,trustStore=file:///opt/nifi/conf/keystore.jks]2020-08-21
> 07:52:21,469 WARN [main] org.apache.nifi.web.server.JettyServer Failed to
> start web server... shutting down.java.lang.IllegalStateException: KeyStores
> with multiple certificates are not supported on the base class
> org.eclipse.jetty.util.ssl.SslContextFactory. (Use
> org.eclipse.jetty.util.ssl.SslContextFactory$Server or
> org.eclipse.jetty.util.ssl.SslContextFactory$Client instead) at
> org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
> at
> org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
> at
> org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
> at
> org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
> at
> org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231) at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
> at org.eclipse.jetty.server.Server.doStart(Server.java:385) at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
> at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1058) at
> org.apache.nifi.NiFi.(NiFi.java:158) at
> org.apache.nifi.NiFi.(NiFi.java:72) at
> org.apache.nifi.NiFi.main(NiFi.java:301) {code}
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (NIFI-7756) NIFI 1.12.0 doesn't work with wildcard certificates
[
https://issues.apache.org/jira/browse/NIFI-7756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17181747#comment-17181747
]
Pierre Villard commented on NIFI-7756:
--
Our documentation is clear about not supporting wildcard certificates:
{noformat}
Wildcard certificates (i.e. two nodes node1.nifi.apache.org and
node2.nifi.apache.org being assigned the same certificate with a CN or SAN
entry of *.nifi.apache.org) are not officially supported and not recommended.
There are numerous disadvantages to using wildcard certificates, and a cluster
working with wildcard certificates has occurred in previous versions out of
lucky accidents, not intentional support. Wildcard SAN entries are acceptable
if each cert maintains an additional unique SAN entry and CN entry.
{noformat}
Otherwise I think this duplicates NIFI-7730
> NIFI 1.12.0 doesn't work with wildcard certificates
> ---
>
> Key: NIFI-7756
> URL: https://issues.apache.org/jira/browse/NIFI-7756
> Project: Apache NiFi
> Issue Type: Bug
>Reporter: Heinz Mayer
>Priority: Major
>
> After Upgrade to NIFI 1.12.0, NIFI doesn't start anymore
> The same keystore works with NIFI 1.11.4
> {code:java}
> 2020-08-21 07:52:21,462 INFO [main] o.e.jetty.util.ssl.SslContextFactory
> x509=X509@2559c968(tomcat,h=[mic.co.at],w=[mic.co.at]) for
> SslContextFactory@37f3a1a0[provider=null,keyStore=file:///opt/nifi/conf/keystore.jks,trustStore=file:///opt/nifi/conf/keystore.jks]2020-08-21
> 07:52:21,462 INFO [main] o.e.jetty.util.ssl.SslContextFactory
> x509=X509@2559c968(tomcat,h=[mic.co.at],w=[mic.co.at]) for
> SslContextFactory@37f3a1a0[provider=null,keyStore=file:///opt/nifi/conf/keystore.jks,trustStore=file:///opt/nifi/conf/keystore.jks]2020-08-21
> 07:52:21,469 WARN [main] org.apache.nifi.web.server.JettyServer Failed to
> start web server... shutting down.java.lang.IllegalStateException: KeyStores
> with multiple certificates are not supported on the base class
> org.eclipse.jetty.util.ssl.SslContextFactory. (Use
> org.eclipse.jetty.util.ssl.SslContextFactory$Server or
> org.eclipse.jetty.util.ssl.SslContextFactory$Client instead) at
> org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
> at
> org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
> at
> org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
> at
> org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
> at
> org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231) at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
> at org.eclipse.jetty.server.Server.doStart(Server.java:385) at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
> at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1058) at
> org.apache.nifi.NiFi.(NiFi.java:158) at
> org.apache.nifi.NiFi.(NiFi.java:72) at
> org.apache.nifi.NiFi.main(NiFi.java:301) {code}
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
