Hello everyone,
My NiFi has issue communicating with NiFi Registry.
Both are set up to authenticate and authorize using the same LDAP search
string, and SSL is setup in such way that users can login securely to each UI.
Individually, they are both working as expected. However, NiFi can't seem to
talk to NiFi Registry.
When performing the "Start version control", I encounter the following error:
Unable to obtain listing of buckets: javax.net.ssl.SSLHandshakeException:
Received fatal alert: certificate_unknown
Both instances handle SSL using the client key/crt, as well as server ca crt,
provided by OpenShift. They are turned into keystore.jks and truststore.jks
using the following script:
_keystore_gen (){
## Convert PEM formatted certificate and private key to JKS
format
# NiFi is a Java based Application
openssl pkcs12 -export \
-inkey /etc/tls/tls.key \
-in /etc/tls/tls.crt \
-name keystore \
-out $NIFI_HOME/conf/keystore.p12 \
-password pass:$KEYSTORE_PASSWORD
keytool -importkeystore -noprompt \
-srckeystore $NIFI_HOME/conf/keystore.p12 \
-srcstoretype pkcs12 \
-destkeystore $NIFI_HOME/conf/keystore.jks \
-storepass $KEYSTORE_PASSWORD \
-srcstorepass $KEYSTORE_PASSWORD
return 0
}
_truststore_gen (){
## Create a Java Truststore starting from a CA bundle
# Loop is required because keytool only imports one
certificate at a time
csplit -z -f crt- /etc/certs/service-ca.crt '/-----BEGIN
CERTIFICATE-----/' '{*}'
for file in crt-*; do
keytool -importcert -noprompt \
-keystore $TRUSTSTORE_PATH \
-file $file \
-storepass $TRUSTSTORE_PASSWORD \
-alias service-$file
done
return 0
}
This takes place in both NiFi and NiFi Registry prior to starting.
What is the cause of the certificate_unknown error and what should I do to fix
it?
Cheers,
Tony Sim
