I think the issue might be related to the "server user" in nifi registry. I would double check that the way the identity was entered in registry exactly matches the identity from nifi's certificate, case-sensitive and white-space sensitive. Also make sure this user in registry is granted all of the Proxy permissions, it is broken out into three different actions now (read, write, delete).
On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <[email protected]> wrote: > > Hi all, > > I am moving things around and moving from self-signed certs to corporate > certs. > > I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with > external certs) and that seems fine. > > I added the cert from the registry server (old self signed) into the new nifi > 1.12 truststore and the new server cert (signed with corporate CA) into the > nifi registry truststore (again, self signed). > > I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry > and made the permission grants (proxy, buckets). I don’t get any SSL errors > in the logs but cannot add a PG via registry (no available bucket). > > Is this setup possible and am I missing something, or do all NiFi nodes and > registry need to be signed with the same key? The idea was to setup a new > instance (on new server), pull all PGs via registry into the new and retiring > the old. > > > > Thanks, > > Roland > > > > > > This message (including any attachments) is intended only for the use of the > individual or entity to which it is addressed and may contain information > that is non-public, proprietary, privileged, confidential, and exempt from > disclosure under applicable law or may constitute as attorney work product. > If you are not the intended recipient, you are hereby notified that any use, > dissemination, distribution, or copying of this communication is strictly > prohibited. If you have received this communication in error, notify us > immediately by telephone and (i) destroy this message if a facsimile or (ii) > delete this message immediately if this is an electronic communication. Thank > you.
