Adam, This is definitely interesting that your single node secure setup was working fine and now doesn't work when enabling clustering.
Since you mentioned you weren't opposed to starting over, this post that I wrote when 1.0 was released should be fairly up to date: http://bryanbende.com/development/2016/08/17/apache- nifi-1-0-0-authorization-and-multi-tenancy It uses the NiFi toolkit to generate the certs, which also generates a nifi.properties for you. It might interesting to work through that, and assuming it works, then compare the working config to the current config to see if anything jumps out as being different. If you want to keep troubleshooting your current setup, it might be good to use keytool to list the contents of your p12 keystore and see if the Subject looks correct: keytool -list -keystore /export/appl/pkgs/nifi/conf/cert.p12 -storepass {password} -storetype PKCS12 -v I don't see how it could be wrong if your single node setup was working, but it is worth a shot. -Bryan On Mon, Dec 5, 2016 at 11:25 AM, Adam J. Shook <[email protected]> wrote: > The tihdedg11 URL would be my failed attempt to mask all the hostnames ;) > Oh well. That'd be host1.foo.com. > > The certificates I am using were generated using the below documentation > [1] as a guide back on NiFi 0.6 -- but we're using the Kerberos provider > and not the LDAP provider. I've used the same certs from 0.6 to 1.0 and > now to 1.1 and I've never had a problem with them. This is a single-node > cluster (for now, soon to be two if I can get it working with one) and it > is failing to replicate the request to itself. > > I'm far from a security buff and don't really know where to begin > troubleshooting this. If there is a more up-to-date guide on how to get > security setup, I'd be happy to start over and work through that. I've > tried [2] just now and that also didn't pan out since there is no longer an > authorizer-users.xml file (and I can't make a new one since I've already > upgraded my old users.xml to the new model). > > Thank you, > --Adam > > [1] https://community.hortonworks.com/articles/7341/nifi-user- > authentication-with-ldap.html > [2] https://community.hortonworks.com/articles/886/ > securing-nifi-step-by-step.html > > On Sun, Dec 4, 2016 at 7:57 PM, Andre <[email protected]> wrote: > >> Adam, >> >> Is the X509 certificate of host1.foo.com reflecting the correct Subject >> Name? >> >> Would you know where the URL tihdedg11.troweprice.com:8080 come from? >> >> Cheers >> >> On Mon, Dec 5, 2016 at 10:34 AM, Adam J. Shook <[email protected]> >> wrote: >> >>> Hello all, >>> >>> I am trying to enable clustering on my NiFi instance, starting with the >>> original single-node instance which uses Kerberos and HTTPS. I've been >>> following the Clustering Configuration section in the admin guide, and I >>> see in the logs that the node takes over as the Coordinator and elects the >>> dataflow. When I try to connect to the UI I receive the below error -- it >>> looks like there is no hostname in the GET request when it tries to >>> replicate it? I started up the second node and I see it join the cluster, >>> but accessing the UI throws the same erro -- failing to replicate the >>> request to both nodes. >>> >>> Any ideas? >>> >>> Thank you, >>> --Adam >>> >>> >>> 2016-12-04 23:28:02,105 WARN [Replicate Request Thread-1] >>> o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request >>> GET /nifi-api/flow/current-user to tihdedg11.troweprice.com:8080 due to >>> {} >>> com.sun.jersey.api.client.ClientHandlerException: java.io.IOException: >>> HTTPS hostname wrong: should be <host1.foo.com> >>> >>> >
