Also try adding the following NiFi Registry's logback.xml then see what is in the nifi-registry-app log when you make a request from NiFi to start version control:
<logger name="org.apache.nifi.registry.security" level="DEBUG"/> On Tue, Mar 30, 2021 at 1:14 PM Bryan Bende <[email protected]> wrote: > Not sure if this is related, but in one part it shows the Owner as: > > CN= server_name.domain.net, OU=NIFI > > There is a space between "CN=" and "server_name", but the identity in NiFi > Registry does not have a space there. > > Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net, > OU=NIFI" and shows the issuer as localhost, so I assume this is the one > that came from NiFI Toolkit. > > If NiFI is a presenting a cert with this DN then you would need a user in > registry with the identity "CN=server.domain.net, OU=NIFI" which is > different from ""CN=server_domain.net, OU=NIFI" > > On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland < > [email protected]> wrote: > >> Bryan, David, >> >> >> >> Where >> >> In NiFi Registry Truststore: >> >> Alias name: server_name-nifi-cert >> Creation date: Mar 29, 2021 >> Entry type: trustedCertEntry >> >> Owner: CN= server_name.domain.net, OU=NIFI ß exact match to entry above >> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, >> ST=XX, C=US ßcorporate CA switch >> >> This worked fine when we used the self-signed NiFi certs of the type: >> >> >> >> Alias name: server_name-nifi-cert >> >> Creation date: date >> >> Entry type: trustedCertEntry >> >> Owner: CN=server.domain.net, OU=NIFI >> >> Issuer: CN=localhost, OU=NIFI >> >> >> >> *Roland * >> >> >> >> *From:* Bryan Bende <[email protected]> >> *Sent:* Tuesday, March 30, 2021 8:58 AM >> *To:* [email protected] >> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question >> >> >> >> Since you aren't getting SSL errors and you are just getting no buckets, >> I don't think it is a problem with certificates. I think it is a problem >> with the authorization on NiFi Registry side. >> >> >> >> What version of NiFi Registry? and also, can you show what policies exist >> for the NiFi server user in NiFi Registry? >> >> >> >> On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <[email protected]> >> wrote: >> >> Hey Roland .. I ran into a bunch of issues with using the toolkit. I just >> couldnt get it to do what I needed, I wound up just running my own openssl >> and keytool commands. I found it much more straightforward and then I could >> know what all was going on. Im sure after i got these scars, and I >> understood all the bits that toolkit would work and be simpler, but I did >> find rolling my own, especially with the external CA was easier. >> >> >> >> also - if you are on slack, there is an active nifi community there that >> may be helpful as well .. >> >> >> >> On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland < >> [email protected]> wrote: >> >> David, >> >> Thanks for the debug config. >> >> Here is an output when I try to connect to the registry from that new >> server, Import a PG. >> >> Since we have a few servers running, it is a very verbose log. >> >> I may have missed the useful part of the log. 😊 >> >> >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut ... no IV derived for this protocol >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Handshake, length = 85 >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut upcoming handshake states: server >> finished[20] >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut upcoming handshake states: client >> change_cipher_spec[-1] >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut upcoming handshake states: client >> finished[20] >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Change Cipher Spec, length = 1 >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut *** Finished >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136, >> 108, 120, 14, 10, 42, 184 } >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut *** >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut update handshake state: finished[20] >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut upcoming handshake states: client >> change_cipher_spec[-1] >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut upcoming handshake states: client >> finished[20] >> >> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Handshake, length = 96 >> >> 2021-03-30 06:57:50,223 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 >> Change Cipher Spec, length = 1 >> >> 2021-03-30 06:57:50,223 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec >> >> 2021-03-30 06:57:50,223 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut upcoming handshake states: client >> finished[20] >> >> 2021-03-30 06:57:50,223 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 >> Handshake, length = 96 >> >> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut check handshake state: finished[20] >> >> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut update handshake state: finished[20] >> >> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut *** Finished >> >> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135, >> 208, 90, 115, 111, 50, 85, 164 } >> >> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut *** >> >> 2021-03-30 06:57:50,226 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 926 >> >> 2021-03-30 06:57:50,228 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 1100 >> >> 2021-03-30 06:57:50,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 1018 >> >> 2021-03-30 06:57:50,231 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 1049 >> >> 2021-03-30 06:57:50,233 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 1010 >> >> 2021-03-30 06:57:50,234 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 928 >> >> 2021-03-30 06:57:50,236 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 924 >> >> 2021-03-30 06:57:50,237 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 920 >> >> 2021-03-30 06:57:50,239 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 919 >> >> 2021-03-30 06:57:50,240 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 1007 >> >> 2021-03-30 06:57:50,241 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 999 >> >> 2021-03-30 06:57:50,243 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 916 >> >> 2021-03-30 06:57:50,245 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 996 >> >> 2021-03-30 06:57:50,247 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 1102 >> >> 2021-03-30 06:57:50,248 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 942 >> >> 2021-03-30 06:57:50,250 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 920 >> >> 2021-03-30 06:57:50,251 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 919 >> >> 2021-03-30 06:57:50,253 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 938 >> >> 2021-03-30 06:57:50,254 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 942 >> >> 2021-03-30 06:57:50,255 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 923 >> >> 2021-03-30 06:57:50,256 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 944 >> >> 2021-03-30 06:57:50,258 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 946 >> >> 2021-03-30 06:57:50,259 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 1006 >> >> 2021-03-30 06:57:50,261 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 932 >> >> 2021-03-30 06:57:50,263 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 912 >> >> 2021-03-30 06:57:50,264 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 943 >> >> 2021-03-30 06:57:50,266 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 1026 >> >> 2021-03-30 06:57:50,267 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 975 >> >> 2021-03-30 06:57:50,269 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 915 >> >> 2021-03-30 06:57:50,270 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 914 >> >> 2021-03-30 06:57:50,271 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 931 >> >> 2021-03-30 06:57:50,272 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 929 >> >> 2021-03-30 06:57:50,274 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 910 >> >> 2021-03-30 06:57:50,275 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 920 >> >> 2021-03-30 06:57:50,276 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 911 >> >> 2021-03-30 06:57:50,277 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 918 >> >> 2021-03-30 06:57:50,279 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 927 >> >> 2021-03-30 06:57:50,280 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 913 >> >> 2021-03-30 06:57:50,281 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 923 >> >> 2021-03-30 06:57:50,282 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 928 >> >> 2021-03-30 06:57:50,284 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 937 >> >> 2021-03-30 06:57:50,285 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 1042 >> >> 2021-03-30 06:57:50,286 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 939 >> >> 2021-03-30 06:57:50,287 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 939 >> >> 2021-03-30 06:57:50,289 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 922 >> >> 2021-03-30 06:57:50,290 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 919 >> >> 2021-03-30 06:57:50,291 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 930 >> >> 2021-03-30 06:57:50,292 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 933 >> >> 2021-03-30 06:57:50,293 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 930 >> >> 2021-03-30 06:57:50,295 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 931 >> >> 2021-03-30 06:57:50,296 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 922 >> >> 2021-03-30 06:57:50,297 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 947 >> >> 2021-03-30 06:57:50,298 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 905 >> >> 2021-03-30 06:57:50,300 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 1166 >> >> 2021-03-30 06:57:50,301 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 914 >> >> 2021-03-30 06:57:50,302 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 898 >> >> 2021-03-30 06:57:50,303 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 908 >> >> 2021-03-30 06:57:50,304 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 989 >> >> 2021-03-30 06:57:50,306 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Application Data, length = 911 >> >> 2021-03-30 06:57:50,307 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 >> Application Data, length = 920 >> >> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2 >> Alert, length = 80 >> >> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2 >> ALERT: warning, close_notify >> >> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, >> closeInboundInternal() >> >> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, >> closeOutboundInternal() >> >> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2 >> ALERT: warning, description = close_notify >> >> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2 >> Alert, length = 80 >> >> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called >> closeOutbound() >> >> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, >> closeOutboundInternal() >> >> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 >> Alert, length = 80 >> >> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2 >> ALERT: warning, close_notify >> >> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, >> closeInboundInternal() >> >> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, >> closeOutboundInternal() >> >> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2 >> ALERT: warning, description = close_notify >> >> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 >> Alert, length = 80 >> >> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called >> closeOutbound() >> >> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] >> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, >> closeOutboundInternal() >> >> >> >> *Roland * >> >> >> >> *From:* David Handermann <[email protected]> >> *Sent:* Monday, March 29, 2021 11:56 PM >> *To:* [email protected] >> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question >> >> >> >> Hi Roland, >> >> >> >> Thanks for the reply. If you are not seeing any warnings or errors in >> the NiFi Registry logs, you could enable SSL debugging in the NiFi Registry >> bootstrap.conf. Adding the following line to bootstrap.conf should enable >> SSL debug output to the nifi-registry-bootstrap.log: >> >> >> >> java.arg.20=-Djavax.net.debug=ssl >> >> >> >> This setting produces a lot of output, but if you watch the log after the >> initial application startup, you should be able to observe the TLS >> handshake when NiFi attempts to list buckets from NiFi Registry. The log >> output should at least confirm that the certificate exchange is occurring >> as expected. >> >> >> >> Regards, >> >> David Handermann >> >> >> >> On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland < >> [email protected]> wrote: >> >> Hi David, >> >> >> >> I use the nifi-toolkit to create the keystore and truststore to make sure >> clientAuth and serverAuth is set properly. >> >> >> >> This is a ‘working’ config. >> >> Keystore: >> >> Alias name: nifi-key >> >> Creation date: date >> >> Entry type: PrivateKeyEntry >> >> >> >> Truststore: >> >> Alias name: server_name-nifi-cert >> >> Creation date: date >> >> Entry type: trustedCertEntry >> >> >> >> Owner: CN=server.domain.net, OU=NIFI >> >> Issuer: CN=localhost, OU=NIFI >> >> >> >> The issue with the new setup is using external CA, also created via the >> nifi-toolkit, new NiFi install working fine (from a SSL perspective), >> Registry connecting but can’t list buckets. >> >> >> >> Alias name: server_name-nifi-cert >> Creation date: Mar 29, 2021 >> Entry type: trustedCertEntry >> >> Owner: CN= server_name.domain.net, OU=NIFI >> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, >> ST=XX, C=US >> >> >> >> Thanks, >> Roland >> >> >> >> *From:* David Handermann <[email protected]> >> *Sent:* Monday, March 29, 2021 9:27 PM >> *To:* [email protected] >> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question >> >> >> >> Hi Roland, >> >> >> >> Can you provide the commands you are using to create the server >> keystores? Listing the keystore contents using "keytool -list -v -keystore >> <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it >> would be helpful to confirm that the keystore includes a PrivateKeyEntry >> and not a TrustedCertEntry. >> >> >> >> Regards, >> >> David Handermann >> >> >> >> On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland < >> [email protected]> wrote: >> >> I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). >> Re-signed/Re-imported the certs. >> >> The new "server" cert is of the type: >> >> Alias name: server_name-nifi-cert >> Creation date: Mar 29, 2021 >> Entry type: trustedCertEntry >> >> Owner: CN= server_name.domain.net, OU=NIFI >> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, >> ST=XX, C=US >> >> [blah] >> >> I am adding the "server user" 'CN= server_name.domain.net, OU=NIFI' to >> the registry with all the grants. I don't see any errors in the logs but >> still cannot properly link it to the existing buckets. Should I add the >> "server user" in a different manner since the cert issuer is not 'Issuer: >> CN=localhost, OU=NIFI'? >> The other servers certs that are signed with 'Issuer: CN=localhost, >> OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0). >> Is there a way to increase the logs as well? >> >> Many thanks, >> Roland >> >> -----Original Message----- >> From: Rosso, Roland <[email protected]> >> Sent: Thursday, March 25, 2021 2:21 PM >> To: [email protected] >> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question >> >> Thank you Bryan, >> I've tried all combinations I could think off. >> I'll resign all the certs with the same key for nifi and registry and try >> this again. >> >> Thanks, >> Roland >> >> -----Original Message----- >> From: Bryan Bende <[email protected]> >> Sent: Tuesday, March 23, 2021 3:48 PM >> To: [email protected] >> Subject: [EXTERNAL] Re: NiFi Registry SSL question >> >> I think the issue might be related to the "server user" in nifi registry. >> I would double check that the way the identity was entered in registry >> exactly matches the identity from nifi's certificate, case-sensitive and >> white-space sensitive. Also make sure this user in registry is granted all >> of the Proxy permissions, it is broken out into three different actions now >> (read, write, delete). >> >> On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland < >> [email protected]> wrote: >> > >> > Hi all, >> > >> > I am moving things around and moving from self-signed certs to >> corporate certs. >> > >> > I’ve installed nifi 1.12 with a new truststore and keystore (use >> toolkit with external certs) and that seems fine. >> > >> > I added the cert from the registry server (old self signed) into the >> new nifi 1.12 truststore and the new server cert (signed with corporate CA) >> into the nifi registry truststore (again, self signed). >> > >> > I also added the server ‘user’ CN=server.domain, OU=NIFI into the >> registry and made the permission grants (proxy, buckets). I don’t get any >> SSL errors in the logs but cannot add a PG via registry (no available >> bucket). >> > >> > Is this setup possible and am I missing something, or do all NiFi nodes >> and registry need to be signed with the same key? The idea was to setup a >> new instance (on new server), pull all PGs via registry into the new and >> retiring the old. >> > >> > >> > >> > Thanks, >> > >> > Roland >> > >> > >> > >> > >> > >> > This message (including any attachments) is intended only for the use >> of the individual or entity to which it is addressed and may contain >> information that is non-public, proprietary, privileged, confidential, and >> exempt from disclosure under applicable law or may constitute as attorney >> work product. If you are not the intended recipient, you are hereby >> notified that any use, dissemination, distribution, or copying of this >> communication is strictly prohibited. If you have received this >> communication in error, notify us immediately by telephone and (i) destroy >> this message if a facsimile or (ii) delete this message immediately if this >> is an electronic communication. Thank you. >> This message (including any attachments) is intended only for the use of >> the individual or entity to which it is addressed and may contain >> information that is non-public, proprietary, privileged, confidential, and >> exempt from disclosure under applicable law or may constitute as attorney >> work product. If you are not the intended recipient, you are hereby >> notified that any use, dissemination, distribution, or copying of this >> communication is strictly prohibited. If you have received this >> communication in error, notify us immediately by telephone and (i) destroy >> this message if a facsimile or (ii) delete this message immediately if this >> is an electronic communication. Thank you. >> This message (including any attachments) is intended only for the use of >> the individual or entity to which it is addressed and may contain >> information that is non-public, proprietary, privileged, confidential, and >> exempt from disclosure under applicable law or may constitute as attorney >> work product. If you are not the intended recipient, you are hereby >> notified that any use, dissemination, distribution, or copying of this >> communication is strictly prohibited. If you have received this >> communication in error, notify us immediately by telephone and (i) destroy >> this message if a facsimile or (ii) delete this message immediately if this >> is an electronic communication. Thank you. >> >> This message (including any attachments) is intended only for the use of >> the individual or entity to which it is addressed and may contain >> information that is non-public, proprietary, privileged, confidential, and >> exempt from disclosure under applicable law or may constitute as attorney >> work product. If you are not the intended recipient, you are hereby >> notified that any use, dissemination, distribution, or copying of this >> communication is strictly prohibited. If you have received this >> communication in error, notify us immediately by telephone and (i) destroy >> this message if a facsimile or (ii) delete this message immediately if this >> is an electronic communication. Thank you. >> >> This message (including any attachments) is intended only for the use of >> the individual or entity to which it is addressed and may contain >> information that is non-public, proprietary, privileged, confidential, and >> exempt from disclosure under applicable law or may constitute as attorney >> work product. If you are not the intended recipient, you are hereby >> notified that any use, dissemination, distribution, or copying of this >> communication is strictly prohibited. If you have received this >> communication in error, notify us immediately by telephone and (i) destroy >> this message if a facsimile or (ii) delete this message immediately if this >> is an electronic communication. Thank you. >> >> This message (including any attachments) is intended only for the use of >> the individual or entity to which it is addressed and may contain >> information that is non-public, proprietary, privileged, confidential, and >> exempt from disclosure under applicable law or may constitute as attorney >> work product. If you are not the intended recipient, you are hereby >> notified that any use, dissemination, distribution, or copying of this >> communication is strictly prohibited. If you have received this >> communication in error, notify us immediately by telephone and (i) destroy >> this message if a facsimile or (ii) delete this message immediately if this >> is an electronic communication. Thank you. >> >
