For completeness the resolution I got to, and that I posted on the Hortonworks Community forum, is as follows: ============================= I have finally got a working solution on this, though it may not be ideal. It also seems to be rather simplistic. Curl, when compiled with NSS, doesn't seem to like encrypted pem files for client certificates/keys. I can make an SSL connection using openssl without any problems using the command (it asks for my password the password for cert.pem and establishes a connection correctly):
# openssl s_client -connect host:port -key cert.pem -cert cert.pem -CAfile ca.pem But if I try to do the same with curl using the following command: # curl -v --cacert ./nifi-cert.pem --cert ./cert.pem:password --key ./cert.pem:password host:port It consistently fails with the error: * unable to load client cert: -8018 (SEC_ERROR_UNKNOWN_PKCS11_ERROR) * NSS error -8018 (SEC_ERROR_UNKNOWN_PKCS11_ERROR) * Unknown PKCS #11 error. I've tried forcing openssl to use des3 when converting the pkcs12 file generated by nifi-tools to pem. I've tried playing around with different password strengths. None of this works. If on the other hand, I force openssl to not encrypt the pem certificate, using -nodes it works fine. Not ideal, because it is not exactly good practice storing keys in clear. On the other hand, the password being used by minifi will be stored in clear so not much more downside doing it this way. I'm sure I can do it another way by storing the certificate in the NSS db (though I did play around with this and there was no easy solution), but I'm keen to minimise the actions required to deploy it. In the process I also installed nss-devel and nss-pkcs11-devel (both versions 3.28.4) but I don't know whether this had a positive of negative effect. Over the next few days I'll remove them and re-compile to see whether they are dependencies when building for Centos/RHEL 7. Many thanks to @mparisi and @Timothy Spann for their support and patience on this issue. If anyone has a better way of solving this I'm all ears. Tom -----Original Message----- From: TomBertie <[email protected]> Sent: 11 March 2018 11:46 To: [email protected] Subject: Minifi cpp 0 4 0 secure connection Has anyone got Minifi C++ v0 4 0 working over a secure connection to a Nifi cluster. My certs seem to be fine as I can log into UI of the secured cluster through the browser using a cert I created for a nifiadmin user. I've got minifi (collecting Squid logs) working unsecured but every time I try to get it connecting securely it won't authenticate to be able to retreive s2s settings. The RPG is set up for HTTP rather than RAW. I've posted output from the minifi logs and the security elements of minifi.properties at https://pastebin.com/gg2H7HEP and haven't added any SSLContextService into the config.yml so it should (if I understand correctly) draw the settings from minifi.properties. I'm using the Centos 7 build of minifi cpp on the Hortonworks repo. I'd really appreciate any support you can give me because I'm sure I'm doing something stupid. Yours, Tom -- Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/
