Thanks for your help, Bryan. I walked through your guide and was able to use the new keystore and certs generated by the nifi-toolkit -- which is great by the way. Makes it easy for us security n00bs.
I compared the configurations and they were similar; nothing out of the ordinary. Must have been something with how the keystore and certs were originally generated. I've now got a two node NiFi cluster -- now to update the processor configs to handle the new node... Thanks again, --Adam On Mon, Dec 5, 2016 at 12:04 PM, Bryan Bende <[email protected]> wrote: > Adam, > > This is definitely interesting that your single node secure setup was > working fine and now doesn't work when enabling clustering. > > Since you mentioned you weren't opposed to starting over, this post that I > wrote when 1.0 was released should be fairly up to date: > http://bryanbende.com/development/2016/08/17/apache-nifi-1- > 0-0-authorization-and-multi-tenancy > > It uses the NiFi toolkit to generate the certs, which also generates a > nifi.properties for you. It might interesting to work through that, and > assuming it works, then compare the working config to the current config to > see if anything jumps out as being different. > > If you want to keep troubleshooting your current setup, it might be good > to use keytool to list the contents of your p12 keystore and see if the > Subject looks correct: > > keytool -list -keystore /export/appl/pkgs/nifi/conf/cert.p12 -storepass > {password} -storetype PKCS12 -v > > I don't see how it could be wrong if your single node setup was working, > but it is worth a shot. > > -Bryan > > On Mon, Dec 5, 2016 at 11:25 AM, Adam J. Shook <[email protected]> > wrote: > >> The tihdedg11 URL would be my failed attempt to mask all the hostnames ;) >> Oh well. That'd be host1.foo.com. >> >> The certificates I am using were generated using the below documentation >> [1] as a guide back on NiFi 0.6 -- but we're using the Kerberos provider >> and not the LDAP provider. I've used the same certs from 0.6 to 1.0 and >> now to 1.1 and I've never had a problem with them. This is a single-node >> cluster (for now, soon to be two if I can get it working with one) and it >> is failing to replicate the request to itself. >> >> I'm far from a security buff and don't really know where to begin >> troubleshooting this. If there is a more up-to-date guide on how to get >> security setup, I'd be happy to start over and work through that. I've >> tried [2] just now and that also didn't pan out since there is no longer an >> authorizer-users.xml file (and I can't make a new one since I've already >> upgraded my old users.xml to the new model). >> >> Thank you, >> --Adam >> >> [1] https://community.hortonworks.com/articles/7341/nifi-user-au >> thentication-with-ldap.html >> [2] https://community.hortonworks.com/articles/886/securing- >> nifi-step-by-step.html >> >> On Sun, Dec 4, 2016 at 7:57 PM, Andre <[email protected]> wrote: >> >>> Adam, >>> >>> Is the X509 certificate of host1.foo.com reflecting the correct Subject >>> Name? >>> >>> Would you know where the URL tihdedg11.troweprice.com:8080 come from? >>> >>> Cheers >>> >>> On Mon, Dec 5, 2016 at 10:34 AM, Adam J. Shook <[email protected]> >>> wrote: >>> >>>> Hello all, >>>> >>>> I am trying to enable clustering on my NiFi instance, starting with the >>>> original single-node instance which uses Kerberos and HTTPS. I've been >>>> following the Clustering Configuration section in the admin guide, and I >>>> see in the logs that the node takes over as the Coordinator and elects the >>>> dataflow. When I try to connect to the UI I receive the below error -- it >>>> looks like there is no hostname in the GET request when it tries to >>>> replicate it? I started up the second node and I see it join the cluster, >>>> but accessing the UI throws the same erro -- failing to replicate the >>>> request to both nodes. >>>> >>>> Any ideas? >>>> >>>> Thank you, >>>> --Adam >>>> >>>> >>>> 2016-12-04 23:28:02,105 WARN [Replicate Request Thread-1] >>>> o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request >>>> GET /nifi-api/flow/current-user to tihdedg11.troweprice.com:8080 due >>>> to {} >>>> com.sun.jersey.api.client.ClientHandlerException: java.io.IOException: >>>> HTTPS hostname wrong: should be <host1.foo.com> >>>> >>>> >> >
