Hello everyone, We recently setup mTLS for the purpose of communicating with Nifi Registry, and we have extended the feature to the API calls handled by the HandleHTTPRequest via RestrictedSSLContextService using the same keystore.jks. As our certs rotate periodically, I have also added a script to regenerate keystore.jks when it detects a new key, and enabled the nifi.security.autoreload.enabled to trigger update on Nifi. I have observed the following:
1. The web interface, when accessed, successfully uses the new certificate when the update is triggered. a. I infer that keystore.jks has been successfully generated 2. The API call to HandleHTTPRequest, however, is still using the old cert 3. New cert is used when the associated RestrictedSSLContextService is disabled and re-enabled. Is there a way to have the RestrictedSSLContextService to update its keystore when there's a new keystore? What is the expected usage scenario on this? Is there an alternative that will handle keystore changes? Digging around, I found the following code that seems related to the flag that is affecting the web interface: https://github.com/apache/nifi/blob/0de83292dec9f3077e5f06ebb5c6f14f01b74129/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/connector/FrameworkServerConnectorFactory.java#L98 The RestrictedSSLContextService, on the other hand, seems unrelated and does not have the same checks: https://github.com/apache/nifi/blob/01783a295c164dde29e5796fd2c010f2197a58b9/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java Any suggestions? Cheers, Tony Sim
