Jim, In the curl command, do you use the “-i”/“—insecure” flag? The issue sounds like one where Python does not trust the NiFi server certificate presented when it attempts to make the connection. “No Authentication” in the Client Authentication setting means that NiFi is not enforcing the presence of a client certificate (one presented by Python), but it is still presenting one if you configured the StandardSSLContextService with a keystore. If NiFi is presenting a cert and using TLS, it won’t accept incoming connections on plain HTTP. You’ll have to tell Python to trust that specific certificate or the signer [1]. Luckily it looks pretty simple to provide it the PEM-encoded public certificate directly in the code to make the request.
Perhaps this crude drawing will help: [1] http://stackoverflow.com/a/30405947/70465 [2] http://security.stackexchange.com/a/20847/16485 Andy LoPresto [email protected] [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Feb 16, 2017, at 11:27 AM, James McMahon <[email protected]> wrote: > > I am unable to get a response from my NiFi server HandleHttpRequest processor > when I issue a POST from Python code on a remote box. I suspect my > configuration of certs is somehow missing a vital piece of the puzzle, though > that seems contrary to my configuration of HandleHttpRequest (No > Authentication in parm Client Authentication). From the calling program > window all we see is a message that we have made an unverified https request. > My HandleHttpRequest processor is configured with No Authentication in parm > Client Authentication. I assumed that this meant no client cert is required > for a posting program to post, but now I suspect that I am wrong about that. > I do include in the config for this processor an SSL Context Service, > StandarSSLContextService. The service is Enabled. The service configuration > references my keystore and truststore. > Currently we are executing the python program as user root on the remote > server. We are not including any cert reference in our POST call. > What is lacking in my configuration? > We are able to get a response back from the NiFi server when we issue the > POST via a curl command. Thanks in advance for your help. -Jim
signature.asc
Description: Message signed with OpenPGP using GPGMail
