Thank you Isha. I will try this and see what I find. I'll report back here. I appreciate your reply. Cheers, Jim
On Fri, Apr 19, 2024 at 4:37 AM Isha Lamboo <isha.lam...@virtualsciences.nl> wrote: > Hi James, > > > > I would suggest you try to debug this using the openssl s_client command, > something like this: > > > > openssl s_client -connect <hostname>:<port> -debug -cert client.pem -key > clientkey.pem -CAfile rootcert.pem > > > > This should give you a lot of details, including information from the > server that specifies which CAs it will accept for client certs. > > > > Regards, > > > > Isha > > > > > > *Van:* James McMahon <jsmcmah...@gmail.com> > *Verzonden:* vrijdag 19 april 2024 01:17 > *Aan:* users <users@nifi.apache.org> > *Onderwerp:* Re: Unable to securely connect to NiFi 2.0 instance > > > > I started from scratch. Got nifi to start, no errors at all in my > nifi-app.log. Configured the client certs in my Chrome browser, also added > cacert.pem to my Root Trusted CAs. > > Tried to hit https://ec2-44-219-227-80.compute-1.amazonaws.com:8443/nifi > , continue to get rejected with this message from the browser: > > This site can’t provide a secure > connectionec2-44-219-227-80.compute-1.amazonaws.com didn’t accept your > login certificate, or one may not have been provided. > Try contacting the system admin. > ERR_BAD_SSL_CLIENT_AUTH_CERT > > > > I never get prompted to select a client cert. > > > > Anyone have any thoughts - fixing, debugging, anything? > > > > On Wed, Apr 17, 2024 at 8:44 PM James McMahon <jsmcmah...@gmail.com> > wrote: > > I have installed and configured NiFi 2.0 with TLS. My nifi 2.0 instance > appears to start without errors, judging by the contents of nifi-app.log. > > > > When I try to access my nifi instance through its https setting in > nifi.properties, I get this error in my browser: > > > > This site can’t provide a secure connection > > ec2-44-219-227-80.compute-1.amazonaws.com didn’t accept your login > certificate, or one may not have been provided. > Try contacting the system admin. > ERR_BAD_SSL_CLIENT_AUTH_CERT > > > > Normally I would expect to be prompted to select admin's login cert from > the list of trusted certs. But I am not getting prompted - it just throws > the error. > > > > I had employed tinycert.org to generate my cacert.pem, my server cert and > private key, and a client cert and private key for my admin user. > > > > This is how I brought the server private key and cert into my keystore: > > openssl pkcs12 -export -out keystore.p12 -inkey ec2-44-219-227-80-key.pem > -in ec2-44-219-227-80.pem -certfile cacert.pem > > > > This is how I imported my cacert into the nifi truststore with java > keytool: > > keytool -import -alias "CACert" -file cacert.pem -keystore truststore.jks > -storepass <truststore password> > > > > This is how I converted my client cert and key, which I then added to my > browser cert store: > > openssl pkcs12 -export -out admin.p12 -inkey admin-key.pem -in admin.pem > -certfile cacert.pem > > > > I have configured the cacert in my nifi truststore.jks. I have the server > cert and private key in my keystore.p12. (I had read that jks for one and > p12 for the other is not an issue). > > > > I have installed the cert and private key for user admin in my Chrome > browser. I also installed the cacert.pem CA in my browser trusted root > store. > > > > Here are my keystore, truststore, and https params in nifi.properties: > > nifi.web.https.host=ec2-44-219-227-80.compute-1.amazonaws.com > nifi.web.https.port=8443 > > ... > nifi.security.keystore=/opt/nifi/config_resources/keys/keystore.p12 > nifi.security.keystoreType=PKCS12 > nifi.security.keystorePasswd=<.....> > nifi.security.keyPasswd=<.....> > nifi.security.truststore=/opt/nifi/config_resources/keys/truststore.jks > nifi.security.truststoreType=JKS > nifi.security.truststorePasswd=<truststore pwd> > > > > My authorizers.xml file is configured like this: > <?xml version='1.0' encoding='UTF-8'?> > <authorizers> > <!-- --> > <!-- <userGroupProvider/> --> > <!-- --> > <userGroupProvider> > <identifier>file-user-group-provider</identifier> > <class>org.apache.nifi.authorization.FileUserGroupProvider</class> > <property name="Users > File">/opt/nifi/config_resources/users.xml</property> > <property name="Initial User Identity 1">CN=admin, OU=NIFI</property> > </userGroupProvider> > <accessPolicyProvider> > <identifier>file-access-policy-provider</identifier> > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> > <property name="User Group > Provider">file-user-group-provider</property> > <property name="Initial Admin Identity">CN=admin, OU=NIFI</property> > <property name="Authorizations > File">/opt/nifi/config_resources/authorizations.xml</property> > </accessPolicyProvider> > <authorizer> > <identifier>managed-authorizer</identifier> > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> > <property name="Access Policy > Provider">file-access-policy-provider</property> > </authorizer> > </authorizers> > > > > My Security Group on my ec2 instance has a rule to permit 8443 for my IP > address. > > > > What have I overlooked? Thanks in advance for any help. > > > > > >
