Hello everyone.
I have found a solution to this particular problem and thought I should share
it in case some poor soul comes in here with similar issue.
I had to do some debugging, and adding:
java.arg.7=-Djavax.net.debug=ssl,handshake
to nifi-registry's bootstrap.conf and then looking at the
nifi-registry-bootstrap.log helped.
Essentially, the particular issue arose because, in the Enhanced Key Usage
field of the certificate, the one generated by Openshift only contains
serverAuth and does not contain clientAuth. There's nothing more that can be
done about this as the Openshift community is against issuing certificates with
clientAuth. Only solution is using a different cert that will allow clientAuth
as well as serverAuth. How one goes about getting this done would depend on
situation, but I hope this is enough lead to resolve the issue. Once that is
done, I no longer get this problem.
Good luck.
Cheers,
Tony Sim
From: Sim, Yoosuk <yoosuk....@bell.ca>
Sent: March-11-21 2:34 PM
To: users@nifi.apache.org
Subject: [EXT]Issue between NiFi and NiFi Registry using SSL/LDAP in OpenShift
Hello everyone,
My NiFi has issue communicating with NiFi Registry.
Both are set up to authenticate and authorize using the same LDAP search
string, and SSL is setup in such way that users can login securely to each UI.
Individually, they are both working as expected. However, NiFi can't seem to
talk to NiFi Registry.
When performing the "Start version control", I encounter the following error:
Unable to obtain listing of buckets: javax.net.ssl.SSLHandshakeException:
Received fatal alert: certificate_unknown
Both instances handle SSL using the client key/crt, as well as server ca crt,
provided by OpenShift. They are turned into keystore.jks and truststore.jks
using the following script:
_keystore_gen (){
## Convert PEM formatted certificate and private key to JKS
format
# NiFi is a Java based Application
openssl pkcs12 -export \
-inkey /etc/tls/tls.key \
-in /etc/tls/tls.crt \
-name keystore \
-out $NIFI_HOME/conf/keystore.p12 \
-password pass:$KEYSTORE_PASSWORD
keytool -importkeystore -noprompt \
-srckeystore $NIFI_HOME/conf/keystore.p12 \
-srcstoretype pkcs12 \
-destkeystore $NIFI_HOME/conf/keystore.jks \
-storepass $KEYSTORE_PASSWORD \
-srcstorepass $KEYSTORE_PASSWORD
return 0
}
_truststore_gen (){
## Create a Java Truststore starting from a CA bundle
# Loop is required because keytool only imports one
certificate at a time
csplit -z -f crt- /etc/certs/service-ca.crt '/-----BEGIN
CERTIFICATE-----/' '{*}'
for file in crt-*; do
keytool -importcert -noprompt \
-keystore $TRUSTSTORE_PATH \
-file $file \
-storepass $TRUSTSTORE_PASSWORD \
-alias service-$file
done
return 0
}
This takes place in both NiFi and NiFi Registry prior to starting.
What is the cause of the certificate_unknown error and what should I do to fix
it?
Cheers,
Tony Sim
________________________________
External Email: Please use caution when opening links and attachments /
Courriel externe: Soyez prudent avec les liens et documents joints
