So that’s the even stranger part. I have a single node running that uses the
exact same script to generate the certificate and private-key and it does not
create certs with the double quote in the wrong place.
I had a java keystore script that I was using and had the double quote in the
wrong place but I have not used that script to generate the keystores for this
certificate.
#!/bin/bash
dir=${1:-$(pwd -P)}
if [ ! -f "$dir"/openssl.cnf ]; then
echo "Please pass a directory with an openssl.cnf"
exit 1
fi
conf="$dir"/openssl.cnf
ca_key="$dir"/ca-key.pem
ca_pem="$dir"/ca.pem
node_key="$dir"/node-key.pem
node_csr="$dir"/node-csr.csr
node_pem="$dir"/node.pem
cn_name=nifi-2.dev.{redacted}.com
openssl genrsa -out "$node_key" 2048
HOSTNAME="$(hostname)" openssl req -new -key "$node_key" -out "$node_csr" -subj
"/CN=$cn_name, OU=Nifi" -config "$conf"
HOSTNAME="$(hostname)" openssl x509 -req -in "$node_csr" -CA "$ca_pem" -CAkey
"$ca_key" -CAcreateserial -out "$node_pem" -days 365 -extensions v3_req
-extfile "$conf"
rm -f "$dir"/*.csr "$dir"/*.srl "$ca_key" "$conf"
chmod -R 600 "$dir"/*.pem
chown -R root:root "$dir”
This is mindboggling why its happening on my cluster nodes but not on the
single node instance I am running separate to the cluster.
> On Mar 30, 2018, at 10:43 AM, Pierre Villard <[email protected]>
> wrote:
>
> Oh ok now I see what you mean with the double quotes... didn't notice in the
> first place =/
> How did you generate the certificates for the nodes? probably something wrong
> here that introduced the double quotes in the certificates.
>
> 2018-03-30 17:34 GMT+02:00 Scott Howell <[email protected]
> <mailto:[email protected]>>:
> 2018-03-30 15:32:42,268 INFO [NiFi Web Server-21]
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
> https://localhost:8443/nifi-api/flow/current-user
> <https://localhost:8443/nifi-api/flow/current-user> (source ip: 10.10.2.214)
> 2018-03-30 15:32:42,270 INFO [NiFi Web Server-21]
> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
> uid=scott,ou=users,dc={redacted},dc=com
> 2018-03-30 15:32:42,325 INFO [NiFi Web Server-18]
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for
> (<uid=scott,ou=users,dc={redacted},dc=com><CN="nifi-2.dev.{redacted}.com,
> OU=Nifi">) GET
> https://nifi-2.dev.mobilgov.com:8443/nifi-api/flow/current-user
> <https://nifi-2.dev.mobilgov.com:8443/nifi-api/flow/current-user> (source ip:
> 10.10.20.32)
> 2018-03-30 15:32:42,325 WARN [NiFi Web Server-18]
> o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted
> proxy CN="nifi-2.dev.{redacted}.com, OU=Nifi"
>
>> On Mar 30, 2018, at 10:06 AM, Pierre Villard <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>> Can you copy/paste what you exactly have in the nifi-users.log when you face
>> this error?
>> Just want to double check there is not some typo somewhere.
>>
>> 2018-03-30 16:50 GMT+02:00 Scott Howell <[email protected]
>> <mailto:[email protected]>>:
>> Here is my authorizations.xml
>>
>> <authorizations>
>> <policies>
>> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
>> resource="/flow" action="R">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
>> resource="/restricted-components" action="W">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
>> resource="/tenants" action="R">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
>> resource="/tenants" action="W">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
>> resource="/policies" action="R">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
>> resource="/policies" action="W">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
>> resource="/controller" action="R">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
>> resource="/controller" action="W">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="287edf48-da72-359b-8f61-da5d4c45a270"
>> resource="/proxy" action="W">
>> <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425"/>
>> <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9"/>
>> <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe"/>
>> </policy>
>> </policies>
>> </authorizations>
>>
>>> On Mar 30, 2018, at 9:48 AM, Pierre Villard <[email protected]
>>> <mailto:[email protected]>> wrote:
>>>
>>> Hi Scott,
>>>
>>> Can you have a look at the authorizations.xml file? (and share the content
>>> of it to confirm that node users are given the proxy authorizations?)
>>>
>>> Thanks!
>>>
>>> 2018-03-30 16:15 GMT+02:00 Scott Howell <[email protected]
>>> <mailto:[email protected]>>:
>>> I am nearing the finish line of setting up a cluster using a self-signed
>>> cert.
>>>
>>> When trying to login to the cluster after the cluster comes up I am able to
>>> see in the logs that my initial admin user is able to login.
>>>
>>> Once that takes place I get an “Untrusted proxy” error on both the UI and
>>> in the nifi-user.log.
>>>
>>> This is what I see in the UI: Untrusted proxy
>>> CN="nifi-2.dev.{redacted}.com, OU=Nifi”
>>>
>>> In my authorizers.xml I have this:
>>> <authorizers>
>>> <authorizer>
>>> <identifier>file-provider</identifier>
>>> <class>org.apache.nifi.authorization.FileAuthorizer</class>
>>> <property name="Authorizations
>>> File">/opt/config/authorizations.xml</property>
>>> <property name="Users File">/opt/config/users.xml</property>
>>> <property name="Initial Admin
>>> Identity">uid=scott,ou=users,dc={redacted},dc=com</property>
>>> <property name="Legacy Authorized Users File"></property>
>>>
>>> <property name="Node Identity 1">CN=nifi-1.dev.{redacted}.com,
>>> OU=Nifi</property>
>>> <property name="Node Identity 2">CN=nifi-2.dev.{redacted}.com,
>>> OU=Nifi</property>
>>> <property name="Node Identity 3">CN=nifi-3.dev.{redacted}.com,
>>> OU=Nifi</property>
>>> </authorizer>
>>> </authorizers>
>>>
>>> On the nodes I am seeing this in my user.xml
>>> <tenants>
>>> <groups/>
>>> <users>
>>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"
>>> identity="uid=scott,ou=users,dc={redacted},dc=com"/>
>>> <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425"
>>> identity="CN=nifi-1.dev.{redacted}.com, OU=Nifi"/>
>>> <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9"
>>> identity="CN=nifi-2.dev.{redacted}.com, OU=Nifi"/>
>>> <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe"
>>> identity="CN=nifi-3.dev.{redacted}.com, OU=Nifi"/>
>>> </users>
>>> </tenants>
>>>
>>> I believe the issue is with where the “ is in my error "Untrusted proxy
>>> CN="nifi-2.dev.mobilgov.com <http://nifi-2.dev.mobilgov.com/>, OU=Nifi””
>>> but I am not able to figure out where that quotation is coming from because
>>> I can’t find it in anywhere.
>>>
>>> Was wondering if anyone has had issues with this before.
>>>
>>> Scott
>>>
>>
>>
>
>
