Hi Roland, I recently had a similar issue where my secured NiFi and Registry instances were able to connect but not list buckets. My problem traced back to my NiFi authorizers.xml in the conf directory, where I didn’t include the server certificate as a User Identity.
If possible, can you show what you have listed for <userGroupProvider> and <accessPolicyProvider> in your authorizers.xml? Best, Margot > On Mar 30, 2021, at 11:08 AM, Bryan Bende <[email protected]> wrote: > > If the issue is related to the server user, then there would be something > like this: > > "Untrusted proxy [%s] for %s operation." > > Where the first parameter would be the identity of the nifi server and the > second parameter would be READ/WRITE/DELETE. > > Also search for whatever user identity you are using in nifi since that will > be sent as a proxied entity. > > On Tue, Mar 30, 2021 at 1:54 PM Rosso, Roland <[email protected] > <mailto:[email protected]>> wrote: > Bryan, > > Tried the below: > > “Also try adding the following NiFi Registry's logback.xml then see what is > in the nifi-registry-app log when you make a request from NiFi to start > version control: > > <logger name="org.apache.nifi.registry.security" level="DEBUG"/>” > > > > I tried to add a flow to version control or pull a new PG. Since we have 5 > instances connected to that registry, hard to say which is doing what, but I > can find all the instances in nifi-registry-app.log but not the one that’s > not connecting right. > > Anything specific you want me to look for in that log? > > > > Thanks, > > Roland Rosso > AdventHealth > Big Data Administrator | Corporate Analytics > O: 407-805-8532 > > > > From: Rosso, Roland <[email protected]> > Sent: Tuesday, March 30, 2021 1:28 PM > To: [email protected] <mailto:[email protected]> > Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question > > > > So, > > CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI > > > > It decided to hyperlink it so the ‘_’ was hidden > > > > Both sets of certs were generated with the toolkit, albeit the first one 2 > years ago with self-signed certs, and I need to move it to corporate CA. > > > > New Server Cert: > > Alias name: server_name-nifi-cert > > Creation date: Mar 29, 2021 > > Entry type: trustedCertEntry > > > > Owner: CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI > ßexact match to entry above > > Issuer: CN=nifi_ca.domain.net <http://nifi_ca.domain.net/>, OU=ORG_NAME, > O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US corporate CA switch > > This worked fine when we used the self-signed NiFi certs of the type: > > > > Old Server Cert: (this was working but I need to use the above now) > > Alias name: server_name-nifi-cert > > Creation date: date > > Entry type: trustedCertEntry > > Owner: CN=server.domain.net <http://server.domain.net/>, OU=NIFI > > Issuer: CN=localhost, OU=NIFI > > > > Thanks, > > Roland Rosso > AdventHealth > Big Data Administrator | Corporate Analytics > O: 407-805-8532 > > > > From: Bryan Bende <[email protected] <mailto:[email protected]>> > Sent: Tuesday, March 30, 2021 1:14 PM > To: [email protected] <mailto:[email protected]> > Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question > > > > Not sure if this is related, but in one part it shows the Owner as: > > > > CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI > > > > There is a space between "CN=" and "server_name", but the identity in NiFi > Registry does not have a space there. > > > > Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net > <http://server.domain.net/>, OU=NIFI" and shows the issuer as localhost, so I > assume this is the one that came from NiFI Toolkit. > > > > If NiFI is a presenting a cert with this DN then you would need a user in > registry with the identity "CN=server.domain.net <http://server.domain.net/>, > OU=NIFI" which is different from ""CN=server_domain.net > <http://secure-web.cisco.com/1cKgRO-65D4r-DzJCeIfLQggAwqHviyLqSSluok9of_y0rg-TWa7n_C5JYALzxqisGDrUyBMkLh2dvfk2cOgKZbjMfhq6r71hJPdJqYZa-dFduW6PcuqtjmM96gQ6u8PaJ7WDISvbBgmcYl2ADU03scyUqlvDuURTHqOtaYrktc-iqnK4j4CIepjN-iFxwGMhnMEqTU6Cz58yDAx93lMyGA8lf4ZyCdEXxfLsHvpkaCG-yAfLspsHoDQB2CRXFveNtsNTzpCAP1pfODnce7wcnPqqdxkxPSg9fOELj9HSd89eIQQHEeybw-cDwVDAIaiAMSlW8RxEEXXQ0MlngkNpqXOWT9Ew94HCcJTYT_8tm84iRF3_5pNoB2eJX8_ZQjWvgbprmutv4fvj8KUoA5DNPIe1zITFZbWjkvtyIsNRrbU/http%3A%2F%2Fserver_domain.net>, > OU=NIFI" > > > > On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <[email protected] > <mailto:[email protected]>> wrote: > > Bryan, David, > > > > <image001.png> > > Where > > In NiFi Registry Truststore: > > Alias name: server_name-nifi-cert > Creation date: Mar 29, 2021 > Entry type: trustedCertEntry > > Owner: CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI > ß exact match to entry above > Issuer: CN=nifi_ca.domain.net <http://nifi_ca.domain.net/>, OU=ORG_NAME, > O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US ßcorporate CA switch > > This worked fine when we used the self-signed NiFi certs of the type: > > > > Alias name: server_name-nifi-cert > > Creation date: date > > Entry type: trustedCertEntry > > Owner: CN=server.domain.net <http://server.domain.net/>, OU=NIFI > > Issuer: CN=localhost, OU=NIFI > > > > Roland > > > > From: Bryan Bende <[email protected] <mailto:[email protected]>> > Sent: Tuesday, March 30, 2021 8:58 AM > To: [email protected] <mailto:[email protected]> > Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question > > > > Since you aren't getting SSL errors and you are just getting no buckets, I > don't think it is a problem with certificates. I think it is a problem with > the authorization on NiFi Registry side. > > > > What version of NiFi Registry? and also, can you show what policies exist for > the NiFi server user in NiFi Registry? > > > > On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <[email protected] > <mailto:[email protected]>> wrote: > > Hey Roland .. I ran into a bunch of issues with using the toolkit. I just > couldnt get it to do what I needed, I wound up just running my own openssl > and keytool commands. I found it much more straightforward and then I could > know what all was going on. Im sure after i got these scars, and I understood > all the bits that toolkit would work and be simpler, but I did find rolling > my own, especially with the external CA was easier. > > > > also - if you are on slack, there is an active nifi community there that may > be helpful as well .. > > > > On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <[email protected] > <mailto:[email protected]>> wrote: > > David, > > Thanks for the debug config. > > Here is an output when I try to connect to the registry from that new server, > Import a PG. > > Since we have a few servers running, it is a very verbose log. > > I may have missed the useful part of the log. 😊 > > > > 2021-03-30 06:57:50,222 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut ... no IV derived for this protocol > > 2021-03-30 06:57:50,222 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Handshake, length = 85 > > 2021-03-30 06:57:50,222 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec > > 2021-03-30 06:57:50,222 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut upcoming handshake states: server finished[20] > > 2021-03-30 06:57:50,222 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut upcoming handshake states: client > change_cipher_spec[-1] > > 2021-03-30 06:57:50,222 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20] > > 2021-03-30 06:57:50,222 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Change Cipher Spec, length = 1 > > 2021-03-30 06:57:50,222 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut *** Finished > > 2021-03-30 06:57:50,222 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136, > 108, 120, 14, 10, 42, 184 } > > 2021-03-30 06:57:50,222 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut *** > > 2021-03-30 06:57:50,222 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut update handshake state: finished[20] > > 2021-03-30 06:57:50,222 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut upcoming handshake states: client > change_cipher_spec[-1] > > 2021-03-30 06:57:50,222 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20] > > 2021-03-30 06:57:50,222 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Handshake, length = 96 > > 2021-03-30 06:57:50,223 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 > Change Cipher Spec, length = 1 > > 2021-03-30 06:57:50,223 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec > > 2021-03-30 06:57:50,223 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20] > > 2021-03-30 06:57:50,223 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 > Handshake, length = 96 > > 2021-03-30 06:57:50,224 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut check handshake state: finished[20] > > 2021-03-30 06:57:50,224 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut update handshake state: finished[20] > > 2021-03-30 06:57:50,224 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut *** Finished > > 2021-03-30 06:57:50,224 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135, 208, > 90, 115, 111, 50, 85, 164 } > > 2021-03-30 06:57:50,224 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut *** > > 2021-03-30 06:57:50,226 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 926 > > 2021-03-30 06:57:50,228 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 1100 > > 2021-03-30 06:57:50,229 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 1018 > > 2021-03-30 06:57:50,231 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 1049 > > 2021-03-30 06:57:50,233 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 1010 > > 2021-03-30 06:57:50,234 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 928 > > 2021-03-30 06:57:50,236 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 924 > > 2021-03-30 06:57:50,237 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 920 > > 2021-03-30 06:57:50,239 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 919 > > 2021-03-30 06:57:50,240 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 1007 > > 2021-03-30 06:57:50,241 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 999 > > 2021-03-30 06:57:50,243 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 916 > > 2021-03-30 06:57:50,245 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 996 > > 2021-03-30 06:57:50,247 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 1102 > > 2021-03-30 06:57:50,248 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 942 > > 2021-03-30 06:57:50,250 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 920 > > 2021-03-30 06:57:50,251 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 919 > > 2021-03-30 06:57:50,253 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 938 > > 2021-03-30 06:57:50,254 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 942 > > 2021-03-30 06:57:50,255 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 923 > > 2021-03-30 06:57:50,256 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 944 > > 2021-03-30 06:57:50,258 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 946 > > 2021-03-30 06:57:50,259 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 1006 > > 2021-03-30 06:57:50,261 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 932 > > 2021-03-30 06:57:50,263 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 912 > > 2021-03-30 06:57:50,264 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 943 > > 2021-03-30 06:57:50,266 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 1026 > > 2021-03-30 06:57:50,267 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 975 > > 2021-03-30 06:57:50,269 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 915 > > 2021-03-30 06:57:50,270 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 914 > > 2021-03-30 06:57:50,271 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 931 > > 2021-03-30 06:57:50,272 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 929 > > 2021-03-30 06:57:50,274 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 910 > > 2021-03-30 06:57:50,275 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 920 > > 2021-03-30 06:57:50,276 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 911 > > 2021-03-30 06:57:50,277 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 918 > > 2021-03-30 06:57:50,279 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 927 > > 2021-03-30 06:57:50,280 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 913 > > 2021-03-30 06:57:50,281 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 923 > > 2021-03-30 06:57:50,282 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 928 > > 2021-03-30 06:57:50,284 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 937 > > 2021-03-30 06:57:50,285 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 1042 > > 2021-03-30 06:57:50,286 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 939 > > 2021-03-30 06:57:50,287 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 939 > > 2021-03-30 06:57:50,289 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 922 > > 2021-03-30 06:57:50,290 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 919 > > 2021-03-30 06:57:50,291 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 930 > > 2021-03-30 06:57:50,292 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 933 > > 2021-03-30 06:57:50,293 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 930 > > 2021-03-30 06:57:50,295 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 931 > > 2021-03-30 06:57:50,296 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 922 > > 2021-03-30 06:57:50,297 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 947 > > 2021-03-30 06:57:50,298 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 905 > > 2021-03-30 06:57:50,300 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 1166 > > 2021-03-30 06:57:50,301 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 914 > > 2021-03-30 06:57:50,302 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 898 > > 2021-03-30 06:57:50,303 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 908 > > 2021-03-30 06:57:50,304 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 989 > > 2021-03-30 06:57:50,306 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Application Data, length = 911 > > 2021-03-30 06:57:50,307 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 > Application Data, length = 920 > > 2021-03-30 06:57:53,718 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2 > Alert, length = 80 > > 2021-03-30 06:57:53,718 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2 > ALERT: warning, close_notify > > 2021-03-30 06:57:53,718 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, > closeInboundInternal() > > 2021-03-30 06:57:53,718 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, > closeOutboundInternal() > > 2021-03-30 06:57:53,718 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2 > ALERT: warning, description = close_notify > > 2021-03-30 06:57:53,718 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2 > Alert, length = 80 > > 2021-03-30 06:57:53,718 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called > closeOutbound() > > 2021-03-30 06:57:53,718 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, > closeOutboundInternal() > > 2021-03-30 06:58:00,229 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 > Alert, length = 80 > > 2021-03-30 06:58:00,229 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2 > ALERT: warning, close_notify > > 2021-03-30 06:58:00,229 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, > closeInboundInternal() > > 2021-03-30 06:58:00,229 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, > closeOutboundInternal() > > 2021-03-30 06:58:00,229 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2 > ALERT: warning, description = close_notify > > 2021-03-30 06:58:00,229 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 > Alert, length = 80 > > 2021-03-30 06:58:00,229 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called > closeOutbound() > > 2021-03-30 06:58:00,229 INFO [NiFi logging handler] > org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, > closeOutboundInternal() > > > > Roland > > > > From: David Handermann <[email protected] > <mailto:[email protected]>> > Sent: Monday, March 29, 2021 11:56 PM > To: [email protected] <mailto:[email protected]> > Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question > > > > Hi Roland, > > > > Thanks for the reply. If you are not seeing any warnings or errors in the > NiFi Registry logs, you could enable SSL debugging in the NiFi Registry > bootstrap.conf. Adding the following line to bootstrap.conf should enable > SSL debug output to the nifi-registry-bootstrap.log: > > > > java.arg.20=-Djavax.net.debug=ssl > > > > This setting produces a lot of output, but if you watch the log after the > initial application startup, you should be able to observe the TLS handshake > when NiFi attempts to list buckets from NiFi Registry. The log output should > at least confirm that the certificate exchange is occurring as expected. > > > > Regards, > > David Handermann > > > > On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <[email protected] > <mailto:[email protected]>> wrote: > > Hi David, > > > > I use the nifi-toolkit to create the keystore and truststore to make sure > clientAuth and serverAuth is set properly. > > > > This is a ‘working’ config. > > Keystore: > > Alias name: nifi-key > > Creation date: date > > Entry type: PrivateKeyEntry > > > > Truststore: > > Alias name: server_name-nifi-cert > > Creation date: date > > Entry type: trustedCertEntry > > > > Owner: CN=server.domain.net <http://server.domain.net/>, OU=NIFI > > Issuer: CN=localhost, OU=NIFI > > > > The issue with the new setup is using external CA, also created via the > nifi-toolkit, new NiFi install working fine (from a SSL perspective), > Registry connecting but can’t list buckets. > > > > Alias name: server_name-nifi-cert > Creation date: Mar 29, 2021 > Entry type: trustedCertEntry > > Owner: CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI > Issuer: CN=nifi_ca.domain.net <http://nifi_ca.domain.net/>, OU=ORG_NAME, > O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US > > > > Thanks, > Roland > > > > From: David Handermann <[email protected] > <mailto:[email protected]>> > Sent: Monday, March 29, 2021 9:27 PM > To: [email protected] <mailto:[email protected]> > Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question > > > > Hi Roland, > > > > Can you provide the commands you are using to create the server keystores? > Listing the keystore contents using "keytool -list -v -keystore > <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it > would be helpful to confirm that the keystore includes a PrivateKeyEntry and > not a TrustedCertEntry. > > > > Regards, > > David Handermann > > > > On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <[email protected] > <mailto:[email protected]>> wrote: > > I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). > Re-signed/Re-imported the certs. > > The new "server" cert is of the type: > > Alias name: server_name-nifi-cert > Creation date: Mar 29, 2021 > Entry type: trustedCertEntry > > Owner: CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI > Issuer: CN=nifi_ca.domain.net <http://nifi_ca.domain.net/>, OU=ORG_NAME, > O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US > > [blah] > > I am adding the "server user" 'CN= server_name.domain.net > <http://server_name.domain.net/>, OU=NIFI' to the registry with all the > grants. I don't see any errors in the logs but still cannot properly link it > to the existing buckets. Should I add the "server user" in a different manner > since the cert issuer is not 'Issuer: CN=localhost, OU=NIFI'? > The other servers certs that are signed with 'Issuer: CN=localhost, OU=NIFI' > work just fine (Nifi 1.9.2 to Registry 0.6.0). > Is there a way to increase the logs as well? > > Many thanks, > Roland > > -----Original Message----- > From: Rosso, Roland <[email protected] > <mailto:[email protected]>> > Sent: Thursday, March 25, 2021 2:21 PM > To: [email protected] <mailto:[email protected]> > Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question > > Thank you Bryan, > I've tried all combinations I could think off. > I'll resign all the certs with the same key for nifi and registry and try > this again. > > Thanks, > Roland > > -----Original Message----- > From: Bryan Bende <[email protected] <mailto:[email protected]>> > Sent: Tuesday, March 23, 2021 3:48 PM > To: [email protected] <mailto:[email protected]> > Subject: [EXTERNAL] Re: NiFi Registry SSL question > > I think the issue might be related to the "server user" in nifi registry. I > would double check that the way the identity was entered in registry exactly > matches the identity from nifi's certificate, case-sensitive and white-space > sensitive. Also make sure this user in registry is granted all of the Proxy > permissions, it is broken out into three different actions now (read, write, > delete). > > On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <[email protected] > <mailto:[email protected]>> wrote: > > > > Hi all, > > > > I am moving things around and moving from self-signed certs to corporate > > certs. > > > > I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit > > with external certs) and that seems fine. > > > > I added the cert from the registry server (old self signed) into the new > > nifi 1.12 truststore and the new server cert (signed with corporate CA) > > into the nifi registry truststore (again, self signed). > > > > I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry > > and made the permission grants (proxy, buckets). I don’t get any SSL errors > > in the logs but cannot add a PG via registry (no available bucket). > > > > Is this setup possible and am I missing something, or do all NiFi nodes and > > registry need to be signed with the same key? The idea was to setup a new > > instance (on new server), pull all PGs via registry into the new and > > retiring the old. > > > > > > > > Thanks, > > > > Roland > > > > > > > > > > > > This message (including any attachments) is intended only for the use of > > the individual or entity to which it is addressed and may contain > > information that is non-public, proprietary, privileged, confidential, and > > exempt from disclosure under applicable law or may constitute as attorney > > work product. If you are not the intended recipient, you are hereby > > notified that any use, dissemination, distribution, or copying of this > > communication is strictly prohibited. If you have received this > > communication in error, notify us immediately by telephone and (i) destroy > > this message if a facsimile or (ii) delete this message immediately if this > > is an electronic communication. Thank you. > This message (including any attachments) is intended only for the use of the > individual or entity to which it is addressed and may contain information > that is non-public, proprietary, privileged, confidential, and exempt from > disclosure under applicable law or may constitute as attorney work product. > If you are not the intended recipient, you are hereby notified that any use, > dissemination, distribution, or copying of this communication is strictly > prohibited. If you have received this communication in error, notify us > immediately by telephone and (i) destroy this message if a facsimile or (ii) > delete this message immediately if this is an electronic communication. Thank > you. > This message (including any attachments) is intended only for the use of the > individual or entity to which it is addressed and may contain information > that is non-public, proprietary, privileged, confidential, and exempt from > disclosure under applicable law or may constitute as attorney work product. > If you are not the intended recipient, you are hereby notified that any use, > dissemination, distribution, or copying of this communication is strictly > prohibited. If you have received this communication in error, notify us > immediately by telephone and (i) destroy this message if a facsimile or (ii) > delete this message immediately if this is an electronic communication. Thank > you. > > This message (including any attachments) is intended only for the use of the > individual or entity to which it is addressed and may contain information > that is non-public, proprietary, privileged, confidential, and exempt from > disclosure under applicable law or may constitute as attorney work product. > If you are not the intended recipient, you are hereby notified that any use, > dissemination, distribution, or copying of this communication is strictly > prohibited. If you have received this communication in error, notify us > immediately by telephone and (i) destroy this message if a facsimile or (ii) > delete this message immediately if this is an electronic communication. Thank > you. > > This message (including any attachments) is intended only for the use of the > individual or entity to which it is addressed and may contain information > that is non-public, proprietary, privileged, confidential, and exempt from > disclosure under applicable law or may constitute as attorney work product. > If you are not the intended recipient, you are hereby notified that any use, > dissemination, distribution, or copying of this communication is strictly > prohibited. If you have received this communication in error, notify us > immediately by telephone and (i) destroy this message if a facsimile or (ii) > delete this message immediately if this is an electronic communication. Thank > you. > > This message (including any attachments) is intended only for the use of the > individual or entity to which it is addressed and may contain information > that is non-public, proprietary, privileged, confidential, and exempt from > disclosure under applicable law or may constitute as attorney work product. > If you are not the intended recipient, you are hereby notified that any use, > dissemination, distribution, or copying of this communication is strictly > prohibited. If you have received this communication in error, notify us > immediately by telephone and (i) destroy this message if a facsimile or (ii) > delete this message immediately if this is an electronic communication. Thank > you. > > This message (including any attachments) is intended only for the use of the > individual or entity to which it is addressed and may contain information > that is non-public, proprietary, privileged, confidential, and exempt from > disclosure under applicable law or may constitute as attorney work product. > If you are not the intended recipient, you are hereby notified that any use, > dissemination, distribution, or copying of this communication is strictly > prohibited. If you have received this communication in error, notify us > immediately by telephone and (i) destroy this message if a facsimile or (ii) > delete this message immediately if this is an electronic communication. Thank > you. > > This message (including any attachments) is intended only for the use of the > individual or entity to which it is addressed and may contain information > that is non-public, proprietary, privileged, confidential, and exempt from > disclosure under applicable law or may constitute as attorney work product. > If you are not the intended recipient, you are hereby notified that any use, > dissemination, distribution, or copying of this communication is strictly > prohibited. If you have received this communication in error, notify us > immediately by telephone and (i) destroy this message if a facsimile or (ii) > delete this message immediately if this is an electronic communication. Thank > you.
