I started from scratch. Got nifi to start, no errors at all in my nifi-app.log. Configured the client certs in my Chrome browser, also added cacert.pem to my Root Trusted CAs. Tried to hit https://ec2-44-219-227-80.compute-1.amazonaws.com:8443/nifi , continue to get rejected with this message from the browser:
This site can’t provide a secure connectionec2-44-219-227-80.compute-1.amazonaws.com didn’t accept your login certificate, or one may not have been provided. Try contacting the system admin. ERR_BAD_SSL_CLIENT_AUTH_CERT I never get prompted to select a client cert. Anyone have any thoughts - fixing, debugging, anything? On Wed, Apr 17, 2024 at 8:44 PM James McMahon <jsmcmah...@gmail.com> wrote: > I have installed and configured NiFi 2.0 with TLS. My nifi 2.0 instance > appears to start without errors, judging by the contents of nifi-app.log. > > When I try to access my nifi instance through its https setting in > nifi.properties, I get this error in my browser: > > This site can’t provide a secure connection > ec2-44-219-227-80.compute-1.amazonaws.com didn’t accept your login > certificate, or one may not have been provided. > Try contacting the system admin. > ERR_BAD_SSL_CLIENT_AUTH_CERT > > Normally I would expect to be prompted to select admin's login cert from > the list of trusted certs. But I am not getting prompted - it just throws > the error. > > I had employed tinycert.org to generate my cacert.pem, my server cert and > private key, and a client cert and private key for my admin user. > > This is how I brought the server private key and cert into my keystore: > openssl pkcs12 -export -out keystore.p12 -inkey ec2-44-219-227-80-key.pem > -in ec2-44-219-227-80.pem -certfile cacert.pem > > This is how I imported my cacert into the nifi truststore with java > keytool: > keytool -import -alias "CACert" -file cacert.pem -keystore truststore.jks > -storepass <truststore password> > > This is how I converted my client cert and key, which I then added to my > browser cert store: > openssl pkcs12 -export -out admin.p12 -inkey admin-key.pem -in admin.pem > -certfile cacert.pem > > I have configured the cacert in my nifi truststore.jks. I have the server > cert and private key in my keystore.p12. (I had read that jks for one and > p12 for the other is not an issue). > > I have installed the cert and private key for user admin in my Chrome > browser. I also installed the cacert.pem CA in my browser trusted root > store. > > Here are my keystore, truststore, and https params in nifi.properties: > nifi.web.https.host=ec2-44-219-227-80.compute-1.amazonaws.com > nifi.web.https.port=8443 > ... > nifi.security.keystore=/opt/nifi/config_resources/keys/keystore.p12 > nifi.security.keystoreType=PKCS12 > nifi.security.keystorePasswd=<.....> > nifi.security.keyPasswd=<.....> > nifi.security.truststore=/opt/nifi/config_resources/keys/truststore.jks > nifi.security.truststoreType=JKS > nifi.security.truststorePasswd=<truststore pwd> > > My authorizers.xml file is configured like this: > <?xml version='1.0' encoding='UTF-8'?> > <authorizers> > <!-- --> > <!-- <userGroupProvider/> --> > <!-- --> > <userGroupProvider> > <identifier>file-user-group-provider</identifier> > <class>org.apache.nifi.authorization.FileUserGroupProvider</class> > <property name="Users > File">/opt/nifi/config_resources/users.xml</property> > <property name="Initial User Identity 1">CN=admin, OU=NIFI</property> > </userGroupProvider> > <accessPolicyProvider> > <identifier>file-access-policy-provider</identifier> > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> > <property name="User Group > Provider">file-user-group-provider</property> > <property name="Initial Admin Identity">CN=admin, OU=NIFI</property> > <property name="Authorizations > File">/opt/nifi/config_resources/authorizations.xml</property> > </accessPolicyProvider> > <authorizer> > <identifier>managed-authorizer</identifier> > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> > <property name="Access Policy > Provider">file-access-policy-provider</property> > </authorizer> > </authorizers> > > My Security Group on my ec2 instance has a rule to permit 8443 for my IP > address. > > What have I overlooked? Thanks in advance for any help. > > >
