There’s a typo in there. The short flag for —insecure in curl is -k, not -i (—include).
Andy LoPresto [email protected] [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Feb 17, 2017, at 4:52 PM, Andy LoPresto <[email protected]> wrote: > > Jim, > > In the curl command, do you use the “-i”/“—insecure” flag? The issue sounds > like one where Python does not trust the NiFi server certificate presented > when it attempts to make the connection. “No Authentication” in the Client > Authentication setting means that NiFi is not enforcing the presence of a > client certificate (one presented by Python), but it is still presenting one > if you configured the StandardSSLContextService with a keystore. If NiFi is > presenting a cert and using TLS, it won’t accept incoming connections on > plain HTTP. You’ll have to tell Python to trust that specific certificate or > the signer [1]. Luckily it looks pretty simple to provide it the PEM-encoded > public certificate directly in the code to make the request. > > Perhaps this crude drawing will help: > > <Python HTTP request to NiFi.png> > > [1] http://stackoverflow.com/a/30405947/70465 > <http://stackoverflow.com/a/30405947/70465> > [2] http://security.stackexchange.com/a/20847/16485 > <http://security.stackexchange.com/a/20847/16485> > > Andy LoPresto > [email protected] <mailto:[email protected]> > [email protected] <mailto:[email protected]> > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > >> On Feb 16, 2017, at 11:27 AM, James McMahon <[email protected] >> <mailto:[email protected]>> wrote: >> >> I am unable to get a response from my NiFi server HandleHttpRequest >> processor when I issue a POST from Python code on a remote box. I suspect my >> configuration of certs is somehow missing a vital piece of the puzzle, >> though that seems contrary to my configuration of HandleHttpRequest (No >> Authentication in parm Client Authentication). From the calling program >> window all we see is a message that we have made an unverified https request. >> My HandleHttpRequest processor is configured with No Authentication in parm >> Client Authentication. I assumed that this meant no client cert is required >> for a posting program to post, but now I suspect that I am wrong about that. >> I do include in the config for this processor an SSL Context Service, >> StandarSSLContextService. The service is Enabled. The service configuration >> references my keystore and truststore. >> Currently we are executing the python program as user root on the remote >> server. We are not including any cert reference in our POST call. >> What is lacking in my configuration? >> We are able to get a response back from the NiFi server when we issue the >> POST via a curl command. Thanks in advance for your help. -Jim >
signature.asc
Description: Message signed with OpenPGP using GPGMail
