Since you aren't getting SSL errors and you are just getting no buckets, I don't think it is a problem with certificates. I think it is a problem with the authorization on NiFi Registry side.
What version of NiFi Registry? and also, can you show what policies exist for the NiFi server user in NiFi Registry? On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <[email protected]> wrote: > Hey Roland .. I ran into a bunch of issues with using the toolkit. I just > couldnt get it to do what I needed, I wound up just running my own openssl > and keytool commands. I found it much more straightforward and then I could > know what all was going on. Im sure after i got these scars, and I > understood all the bits that toolkit would work and be simpler, but I did > find rolling my own, especially with the external CA was easier. > > also - if you are on slack, there is an active nifi community there that > may be helpful as well .. > > On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland < > [email protected]> wrote: > >> David, >> >> Thanks for the debug config. >> >> Here is an output when I try to connect to the registry from that new >> server, Import a PG. >> >> Since we have a few servers running, it is a very verbose log. >> >> I may have missed the useful part of the log. 😊 >> >> >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut ... no IV derived for this protocol >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Handshake, length = 85 >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut upcoming handshake states: server >> finished[20] >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut upcoming handshake states: client >> change_cipher_spec[-1] >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut upcoming handshake states: client >> finished[20] >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Change Cipher Spec, length = 1 >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut *** Finished >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136, >> 108, 120, 14, 10, 42, 184 } >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut *** >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut update handshake state: finished[20] >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut upcoming handshake states: client >> change_cipher_spec[-1] >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut upcoming handshake states: client >> finished[20] >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Handshake, length = 96 >> >> 2021-03-30 06:57:50,223 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 >> Change Cipher Spec, length = 1 >> >> 2021-03-30 06:57:50,223 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec >> >> 2021-03-30 06:57:50,223 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut upcoming handshake states: client >> finished[20] >> >> 2021-03-30 06:57:50,223 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 >> Handshake, length = 96 >> >> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut check handshake state: finished[20] >> >> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut update handshake state: finished[20] >> >> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut *** Finished >> >> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135, >> 208, 90, 115, 111, 50, 85, 164 } >> >> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut *** >> >> 2021-03-30 06:57:50,226 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 926 >> >> 2021-03-30 06:57:50,228 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 1100 >> >> 2021-03-30 06:57:50,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 1018 >> >> 2021-03-30 06:57:50,231 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 1049 >> >> 2021-03-30 06:57:50,233 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 1010 >> >> 2021-03-30 06:57:50,234 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 928 >> >> 2021-03-30 06:57:50,236 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 924 >> >> 2021-03-30 06:57:50,237 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 920 >> >> 2021-03-30 06:57:50,239 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 919 >> >> 2021-03-30 06:57:50,240 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 1007 >> >> 2021-03-30 06:57:50,241 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 999 >> >> 2021-03-30 06:57:50,243 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 916 >> >> 2021-03-30 06:57:50,245 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 996 >> >> 2021-03-30 06:57:50,247 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 1102 >> >> 2021-03-30 06:57:50,248 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 942 >> >> 2021-03-30 06:57:50,250 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 920 >> >> 2021-03-30 06:57:50,251 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 919 >> >> 2021-03-30 06:57:50,253 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 938 >> >> 2021-03-30 06:57:50,254 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 942 >> >> 2021-03-30 06:57:50,255 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 923 >> >> 2021-03-30 06:57:50,256 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 944 >> >> 2021-03-30 06:57:50,258 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 946 >> >> 2021-03-30 06:57:50,259 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 1006 >> >> 2021-03-30 06:57:50,261 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 932 >> >> 2021-03-30 06:57:50,263 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 912 >> >> 2021-03-30 06:57:50,264 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 943 >> >> 2021-03-30 06:57:50,266 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 1026 >> >> 2021-03-30 06:57:50,267 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 975 >> >> 2021-03-30 06:57:50,269 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 915 >> >> 2021-03-30 06:57:50,270 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 914 >> >> 2021-03-30 06:57:50,271 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 931 >> >> 2021-03-30 06:57:50,272 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 929 >> >> 2021-03-30 06:57:50,274 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 910 >> >> 2021-03-30 06:57:50,275 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 920 >> >> 2021-03-30 06:57:50,276 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 911 >> >> 2021-03-30 06:57:50,277 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 918 >> >> 2021-03-30 06:57:50,279 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 927 >> >> 2021-03-30 06:57:50,280 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 913 >> >> 2021-03-30 06:57:50,281 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 923 >> >> 2021-03-30 06:57:50,282 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 928 >> >> 2021-03-30 06:57:50,284 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 937 >> >> 2021-03-30 06:57:50,285 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 1042 >> >> 2021-03-30 06:57:50,286 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 939 >> >> 2021-03-30 06:57:50,287 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 939 >> >> 2021-03-30 06:57:50,289 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 922 >> >> 2021-03-30 06:57:50,290 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 919 >> >> 2021-03-30 06:57:50,291 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 930 >> >> 2021-03-30 06:57:50,292 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 933 >> >> 2021-03-30 06:57:50,293 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 930 >> >> 2021-03-30 06:57:50,295 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 931 >> >> 2021-03-30 06:57:50,296 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 922 >> >> 2021-03-30 06:57:50,297 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 947 >> >> 2021-03-30 06:57:50,298 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 905 >> >> 2021-03-30 06:57:50,300 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 1166 >> >> 2021-03-30 06:57:50,301 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 914 >> >> 2021-03-30 06:57:50,302 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 898 >> >> 2021-03-30 06:57:50,303 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 908 >> >> 2021-03-30 06:57:50,304 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 989 >> >> 2021-03-30 06:57:50,306 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 911 >> >> 2021-03-30 06:57:50,307 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 920 >> >> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2 >> Alert, length = 80 >> >> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2 >> ALERT: warning, close_notify >> >> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, >> closeInboundInternal() >> >> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, >> closeOutboundInternal() >> >> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2 >> ALERT: warning, description = close_notify >> >> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2 >> Alert, length = 80 >> >> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called >> closeOutbound() >> >> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, >> closeOutboundInternal() >> >> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 >> Alert, length = 80 >> >> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2 >> ALERT: warning, close_notify >> >> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, >> closeInboundInternal() >> >> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, >> closeOutboundInternal() >> >> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2 >> ALERT: warning, description = close_notify >> >> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Alert, length = 80 >> >> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called >> closeOutbound() >> >> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, >> closeOutboundInternal() >> >> >> >> *Roland Rosso* >> AdventHealth >> Big Data Administrator | Corporate Analytics >> O: 407-805-8532 >> >> >> >> *From:* David Handermann <[email protected]> >> *Sent:* Monday, March 29, 2021 11:56 PM >> *To:* [email protected] >> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question >> >> >> >> Hi Roland, >> >> >> >> Thanks for the reply. If you are not seeing any warnings or errors in >> the NiFi Registry logs, you could enable SSL debugging in the NiFi Registry >> bootstrap.conf. Adding the following line to bootstrap.conf should enable >> SSL debug output to the nifi-registry-bootstrap.log: >> >> >> >> java.arg.20=-Djavax.net.debug=ssl >> >> >> >> This setting produces a lot of output, but if you watch the log after the >> initial application startup, you should be able to observe the TLS >> handshake when NiFi attempts to list buckets from NiFi Registry. The log >> output should at least confirm that the certificate exchange is occurring >> as expected. >> >> >> >> Regards, >> >> David Handermann >> >> >> >> On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland < >> [email protected]> wrote: >> >> Hi David, >> >> >> >> I use the nifi-toolkit to create the keystore and truststore to make sure >> clientAuth and serverAuth is set properly. >> >> >> >> This is a ‘working’ config. >> >> Keystore: >> >> Alias name: nifi-key >> >> Creation date: date >> >> Entry type: PrivateKeyEntry >> >> >> >> Truststore: >> >> Alias name: server_name-nifi-cert >> >> Creation date: date >> >> Entry type: trustedCertEntry >> >> >> >> Owner: CN=server.domain.net, OU=NIFI >> >> Issuer: CN=localhost, OU=NIFI >> >> >> >> The issue with the new setup is using external CA, also created via the >> nifi-toolkit, new NiFi install working fine (from a SSL perspective), >> Registry connecting but can’t list buckets. >> >> >> >> Alias name: server_name-nifi-cert >> Creation date: Mar 29, 2021 >> Entry type: trustedCertEntry >> >> Owner: CN= server_name.domain.net, OU=NIFI >> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, >> ST=XX, C=US >> >> >> >> Thanks, >> Roland >> >> >> >> *From:* David Handermann <[email protected]> >> *Sent:* Monday, March 29, 2021 9:27 PM >> *To:* [email protected] >> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question >> >> >> >> Hi Roland, >> >> >> >> Can you provide the commands you are using to create the server >> keystores? Listing the keystore contents using "keytool -list -v -keystore >> <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it >> would be helpful to confirm that the keystore includes a PrivateKeyEntry >> and not a TrustedCertEntry. >> >> >> >> Regards, >> >> David Handermann >> >> >> >> On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland < >> [email protected]> wrote: >> >> I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). >> Re-signed/Re-imported the certs. >> >> The new "server" cert is of the type: >> >> Alias name: server_name-nifi-cert >> Creation date: Mar 29, 2021 >> Entry type: trustedCertEntry >> >> Owner: CN= server_name.domain.net, OU=NIFI >> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, >> ST=XX, C=US >> >> [blah] >> >> I am adding the "server user" 'CN= server_name.domain.net, OU=NIFI' to >> the registry with all the grants. I don't see any errors in the logs but >> still cannot properly link it to the existing buckets. Should I add the >> "server user" in a different manner since the cert issuer is not 'Issuer: >> CN=localhost, OU=NIFI'? >> The other servers certs that are signed with 'Issuer: CN=localhost, >> OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0). >> Is there a way to increase the logs as well? >> >> Many thanks, >> Roland >> >> -----Original Message----- >> From: Rosso, Roland <[email protected]> >> Sent: Thursday, March 25, 2021 2:21 PM >> To: [email protected] >> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question >> >> Thank you Bryan, >> I've tried all combinations I could think off. >> I'll resign all the certs with the same key for nifi and registry and try >> this again. >> >> Thanks, >> Roland >> >> -----Original Message----- >> From: Bryan Bende <[email protected]> >> Sent: Tuesday, March 23, 2021 3:48 PM >> To: [email protected] >> Subject: [EXTERNAL] Re: NiFi Registry SSL question >> >> I think the issue might be related to the "server user" in nifi registry. >> I would double check that the way the identity was entered in registry >> exactly matches the identity from nifi's certificate, case-sensitive and >> white-space sensitive. Also make sure this user in registry is granted all >> of the Proxy permissions, it is broken out into three different actions now >> (read, write, delete). >> >> On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland < >> [email protected]> wrote: >> > >> > Hi all, >> > >> > I am moving things around and moving from self-signed certs to >> corporate certs. >> > >> > I’ve installed nifi 1.12 with a new truststore and keystore (use >> toolkit with external certs) and that seems fine. >> > >> > I added the cert from the registry server (old self signed) into the >> new nifi 1.12 truststore and the new server cert (signed with corporate CA) >> into the nifi registry truststore (again, self signed). >> > >> > I also added the server ‘user’ CN=server.domain, OU=NIFI into the >> registry and made the permission grants (proxy, buckets). I don’t get any >> SSL errors in the logs but cannot add a PG via registry (no available >> bucket). >> > >> > Is this setup possible and am I missing something, or do all NiFi nodes >> and registry need to be signed with the same key? The idea was to setup a >> new instance (on new server), pull all PGs via registry into the new and >> retiring the old. >> > >> > >> > >> > Thanks, >> > >> > Roland >> > >> > >> > >> > >> > >> > This message (including any attachments) is intended only for the use >> of the individual or entity to which it is addressed and may contain >> information that is non-public, proprietary, privileged, confidential, and >> exempt from disclosure under applicable law or may constitute as attorney >> work product. If you are not the intended recipient, you are hereby >> notified that any use, dissemination, distribution, or copying of this >> communication is strictly prohibited. If you have received this >> communication in error, notify us immediately by telephone and (i) destroy >> this message if a facsimile or (ii) delete this message immediately if this >> is an electronic communication. Thank you. >> This message (including any attachments) is intended only for the use of >> the individual or entity to which it is addressed and may contain >> information that is non-public, proprietary, privileged, confidential, and >> exempt from disclosure under applicable law or may constitute as attorney >> work product. If you are not the intended recipient, you are hereby >> notified that any use, dissemination, distribution, or copying of this >> communication is strictly prohibited. If you have received this >> communication in error, notify us immediately by telephone and (i) destroy >> this message if a facsimile or (ii) delete this message immediately if this >> is an electronic communication. Thank you. >> This message (including any attachments) is intended only for the use of >> the individual or entity to which it is addressed and may contain >> information that is non-public, proprietary, privileged, confidential, and >> exempt from disclosure under applicable law or may constitute as attorney >> work product. If you are not the intended recipient, you are hereby >> notified that any use, dissemination, distribution, or copying of this >> communication is strictly prohibited. If you have received this >> communication in error, notify us immediately by telephone and (i) destroy >> this message if a facsimile or (ii) delete this message immediately if this >> is an electronic communication. Thank you. >> >> This message (including any attachments) is intended only for the use of >> the individual or entity to which it is addressed and may contain >> information that is non-public, proprietary, privileged, confidential, and >> exempt from disclosure under applicable law or may constitute as attorney >> work product. If you are not the intended recipient, you are hereby >> notified that any use, dissemination, distribution, or copying of this >> communication is strictly prohibited. If you have received this >> communication in error, notify us immediately by telephone and (i) destroy >> this message if a facsimile or (ii) delete this message immediately if this >> is an electronic communication. Thank you. >> >> This message (including any attachments) is intended only for the use of >> the individual or entity to which it is addressed and may contain >> information that is non-public, proprietary, privileged, confidential, and >> exempt from disclosure under applicable law or may constitute as attorney >> work product. If you are not the intended recipient, you are hereby >> notified that any use, dissemination, distribution, or copying of this >> communication is strictly prohibited. If you have received this >> communication in error, notify us immediately by telephone and (i) destroy >> this message if a facsimile or (ii) delete this message immediately if this >> is an electronic communication. Thank you. >> >
