Hi Nikhil, The property that you mention: "nifi.registry.security.needClientAuth" applies only to user logins. This allows users to login via certificate or other methods by not requiring that they present a client certificate. However, NiFi & registry require mutual authentication for all machine-to-machine interactions. So in order to have NiFi talk to the registry, NiFi's cert will need to have client auth usage as well.
Thanks -Mark On Sep 13, 2018, at 5:35 AM, Nikhil Chaudhary <[email protected]<mailto:[email protected]>> wrote: Hey Guys, Been stumped with a certificate issue. A bit of info on the deployment strategy. NiFi is running with a wildcard certificate in its keystore (*.domain.com<http://domain.com/>) – It’s a self signed certificate. We’ve added the Root CA in the truststore of NiFi. We’ve used the same keystore to run NiFi registry. So installing the Root CA on my laptop, I can access NiFi on HTTPS with no errors or warnings. In theory the Root CA within the NiFi truststore should do the same when accessing NiFi registry, shouldn’t it? I enabled debug logs and the error that came up was: Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication The certificate only has serverAuth in it’s extended key usage but shouldn’t that be enough? I’ve seen emails and posts online regarding NiFi clustering in which case clientAuth needs to be enabled but this case seems different? ClientAuth in NiFi registry properties file is set as false. nifi.registry.security.needClientAuth=false Is there something I’m missing or not doing correctly? Stack Trace: 2018-09-12 11:02:22,581 DEBUG [NiFi Registry Web Server-15] org.eclipse.jetty.server.HttpConnection javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) ~[na:1.8.0_181] at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[na:1.8.0_181] at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[na:1.8.0_181] at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[na:1.8.0_181] at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[na:1.8.0_181] at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:621) ~[jetty-io-9.4.3.v20170317.jar:9.4.3.v20170317] at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:322) [jetty-server-9.4.3.v20170317.jar:9.4.3.v20170317] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:231) [jetty-server-9.4.3.v20170317.jar:9.4.3.v20170317] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279) [jetty-io-9.4.3.v20170317.jar:9.4.3.v20170317] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) [jetty-io-9.4.3.v20170317.jar:9.4.3.v20170317] at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:258) [jetty-io-9.4.3.v20170317.jar:9.4.3.v20170317] at org.eclipse.jetty.io.ssl.SslConnection$3.succeeded(SslConnection.java:147) [jetty-io-9.4.3.v20170317.jar:9.4.3.v20170317] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) [jetty-io-9.4.3.v20170317.jar:9.4.3.v20170317] at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124) [jetty-io-9.4.3.v20170317.jar:9.4.3.v20170317] at org.eclipse.jetty.util.thread.Invocable.invokePreferred(Invocable.java:122) [jetty-util-9.4.3.v20170317.jar:9.4.3.v20170317] at org.eclipse.jetty.util.thread.strategy.ExecutingExecutionStrategy.invoke(ExecutingExecutionStrategy.java:58) [jetty-util-9.4.3.v20170317.jar:9.4.3.v20170317] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:201) [jetty-util-9.4.3.v20170317.jar:9.4.3.v20170317] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:133) [jetty-util-9.4.3.v20170317.jar:9.4.3.v20170317] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:672) [jetty-util-9.4.3.v20170317.jar:9.4.3.v20170317] at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:590) [jetty-util-9.4.3.v20170317.jar:9.4.3.v20170317] at java.lang.Thread.run(Thread.java:748) [na:1.8.0_181] Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_181] at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[na:1.8.0_181] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) ~[na:1.8.0_181] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) ~[na:1.8.0_181] at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1979) ~[na:1.8.0_181] at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:237) ~[na:1.8.0_181] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[na:1.8.0_181] at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[na:1.8.0_181] at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[na:1.8.0_181] at java.security.AccessController.doPrivileged(Native Method) ~[na:1.8.0_181] at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[na:1.8.0_181] at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:727) ~[jetty-io-9.4.3.v20170317.jar:9.4.3.v20170317] ... 15 common frames omitted Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication at sun.security.validator.EndEntityChecker.checkTLSClient(EndEntityChecker.java:238) ~[na:1.8.0_181] at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:145) ~[na:1.8.0_181] at sun.security.validator.Validator.validate(Validator.java:274) ~[na:1.8.0_181] at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_181] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[na:1.8.0_181] at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[na:1.8.0_181] at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1966) ~[na:1.8.0_181] ... 22 common frames omitted Thank You. Best Regards, Nikhil C.
