Apache NiFi using non self-signed certificates

davis_tran — Fri, 16 Sep 2022 14:19:13 GMT

Please keep in mind I am in no way savvy in "this stuff" at all, so please bare with me.

Issue: I am still receiving "Your connection is not private" / "NET::ERR_CERT_AUTHORITY_INVALID" when accessing the NiFi web UI that I have installed on a Linux server even though I set it up with a certificate provided by my company (I believe did something wrong here).

Goal: Anyone who tries to access the web UI will be met with the NiFi Login screen (this part is already setup with LDAP) without having to import a certificate instead of the warning/secure ("Your connection is not private") page. I think it's important to know that I have it working fine with self-signed certificate and importing the certificate into my browser.

Summary (Please read this knowing that my understanding of the subject is very minimal):

1. I generated a CSR and keystore.jks (from what I understand contains the private key) with the following command:

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore keystore.jks -dname "CN={{domain data here}}" && keytool -certreq -alias server -file nifi.csr -keystore keystore.jks && echo Your certificate signing request is in nifi.csr.  Your keystore file is keystore.jks.  Thanks for using the DigiCert keytool CSR helper.

2. Forwarded the generated CSR to our company CA and they sent back 4 following files:

nifi.cer
nifi.p7b
root-CA.cer
issuing-CA.cer

3. Generated a truststore.jks (with a temp alias and removed it) and imported the nifi.cer into it

keytool -import -alias server -file "nifi.cer" -keystore -truststore.jks

4. Placed the truststore and keystore files into the conf directory of NiFi on the server and updated the # security properties # in nifi.properties to reflect the keystore and truststore files.

Please let me know if I did something wrong or I misunderstood something.

Re: Apache NiFi using non self-signed certificates

davis_tran — Fri, 19 Apr 2019 03:03:38 GMT

@Andy LoPresto

Sorry to bother you, but I see that you have answered other posts that have similar issues to mine and I was hoping you could help out. Thanks!

Re: Apache NiFi using non self-signed certificates

alopresto — Fri, 19 Apr 2019 03:27:31 GMT

Hi Davis,

I imagine the issue is that the server certificate that was signed by your organizational CA doesn't include the (intermediate or root) CA public certificates. It appears they (the signing team) sent those to you in addition as separate files. My expectation is that if you run the command more issuing-CA.cer or more root-CA.cer, you will get an output like this:

If you then run this command openssl x509 -in issuing-CA.cer -text -noout (verifies the certificate is parsable), you should get output like this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=California, L=Santa Monica, O=Apache, OU=NiFi, CN=Example NiFi CA/emailAddress=example@nifi.apache.org
        Validity
            Not Before: Oct 27 00:10:07 2016 GMT
            Not After : Jul 24 00:10:07 2019 GMT
        Subject: C=US, ST=CA, L=Santa Monica, O=Apache, OU=NiFi, CN=nifi.apache.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:99:80:ee:79:34:f7:34:83:57:48:74:f2:9a:09:
                    c0:2f:68:a5:b1:bc:d9:da:75:28:7f:70:d0:ed:3a:
                    1f:65:7f:59:9f:9a:f5:70:47:32:25:cd:14:f5:bc:
                    09:0e:43:c4:5d:7c:2f:37:9e:f8:5a:22:f9:b7:15:
                    4a:57:e2:d9:2f:e9:ea:25:25:a5:35:2b:6f:06:23:
                    1b:67:87:8c:ed:4b:b0:1f:d2:0f:9b:fd:fa:ca:87:
                    e1:91:ea:82:a0:50:4e:47:81:38:3b:22:6d:02:c4:
                    d1:b3:bc:a3:a7:bd:98:c3:8e:04:1e:95:75:c6:35:
                    71:5c:19:c0:70:2b:9c:90:ac:14:93:5f:bd:43:f8:
                    23:fe:95:66:b0:c7:e8:af:d6:f2:b6:8a:a9:ed:f8:
                    a2:62:5a:90:da:aa:51:57:1d:7a:fb:ea:60:d8:94:
                    c8:30:29:4c:f3:ef:84:23:af:32:2b:0a:1f:30:32:
                    de:24:6d:0f:73:1c:4d:d2:5b:c5:f9:cf:3a:52:80:
                    33:5c:22:87:0f:b7:09:c9:3c:d3:47:a3:e9:74:16:
                    2e:39:76:6b:10:13:a3:f6:84:2f:08:26:8d:f6:79:
                    10:fb:b6:70:4c:dd:be:ef:c5:0a:c4:f7:cb:d8:1b:
                    58:b0:1c:ff:6e:18:c2:95:59:8e:57:30:12:9d:c2:
                    93:4b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                96:02:F9:1D:BE:53:F0:D9:10:C9:B8:53:41:46:92:6E:7D:E4:63:B3
            X509v3 Authority Key Identifier:
                keyid:44:D8:A0:AA:3F:8D:24:1D:66:A0:EE:A0:2E:04:9F:DB:C5:EB:43:CA

            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
    Signature Algorithm: sha256WithRSAEncryption
         85:90:6f:02:a3:48:1a:6c:89:d2:35:ff:85:e6:6d:8e:ec:5f:
         d8:6a:95:21:b6:63:fa:59:41:37:22:f5:b5:a2:64:d7:6e:9a:
         bc:e2:12:cb:d6:9b:0f:64:aa:7d:64:2c:d2:79:52:cb:bc:39:
         dc:29:08:9e:85:42:0b:7b:73:77:13:e3:02:a1:25:12:ed:37:
         79:88:ec:13:62:2e:dd:dd:55:d3:42:98:55:c4:c3:a4:e3:6f:
         68:83:66:24:cd:70:31:e3:2a:df:4d:ed:f5:38:54:78:f9:ea:
         f4:96:50:11:c0:02:52:7f:17:30:6d:88:87:f6:0f:3b:ef:cb:
         de:05:d1:ed:ee:52:51:16:cd:6d:2a:e6:0f:d1:0a:d2:48:45:
         d4:30:91:d5:f1:2c:0f:20:dc:95:1d:0c:e5:06:a6:a6:65:d9:
         90:5a:9e:ee:77:29:88:f6:ef:7d:77:59:2c:78:35:52:3b:e0:
         52:8c:53:71:3f:83:d6:e6:41:c0:1d:fd:a7:8f:b2:7d:aa:3f:
         b6:67:34:c2:9a:74:24:54:3a:5a:30:2c:cc:9f:b3:1c:55:e1:
         13:69:43:d9:87:4c:ad:51:2c:0d:46:a2:d1:e8:55:25:c5:78:
         83:9e:4a:8d:64:9f:0f:4f:0b:5d:1d:70:db:99:62:b9:18:d5:
         a3:a1:c6:38:bf:3d:8c:45:5e:fd:1e:29:e3:ba:ed:94:6c:1e:
         01:ef:05:70:49:d7:56:cf:89:45:0a:69:32:d5:5e:9f:55:7f:
         ae:e2:7a:32:44:5d:52:53:68:85:07:e9:f1:8a:f5:85:8d:a8:
         17:ec:dd:d1:1b:17:c4:15:51:08:01:9e:c4:95:32:d1:53:75:
         e0:98:af:66:d1:f6:9d:c5:01:eb:43:a4:c3:b6:b7:cf:3d:08:
         a4:ab:eb:69:86:f6:d7:c5:b9:4e:a7:85:e6:5d:31:e7:c8:1a:
         82:be:4f:72:ea:98:3e:77:b1:b6:f1:6b:8a:79:ff:e3:7a:af:
         a1:ae:1a:67:0b:19:9e:59:a9:88:3e:c8:1c:cf:d3:c3:bf:e5:
         1c:ad:7a:21:fa:86:fb:ec:85:9d:66:17:63:3a:c5:2f:3f:7c:
         45:5a:0e:64:8f:89:80:78:36:77:1b:82:ce:68:dd:cf:f3:96:
         0e:b3:3d:91:9e:69:61:eb:ee:f5:57:22:6d:ca:19:cd:3e:d8:
         d6:20:4f:c0:c7:1d:0f:ba:23:90:8c:51:11:c3:4c:2f:96:11:
         d5:fd:54:45:24:b7:af:08:a1:4b:39:f2:2d:f6:c7:3a:8f:62:
         42:04:d5:66:89:89:74:c9:72:e3:56:58:03:7c:95:32:f4:cb:
         8b:b5:24:e1:94:1c:3a:53

The next step is to concatenate all the public certificates into a single file so it can be imported into the keystore.jks. That way when the application (NiFi) presents its public certificate to the browser, it also presents the "certificate chain" that shows NiFi cert (signed by) Issuing CA (signed by) Root CA, and (hopefully) Root CA is already present in the client truststores (i.e. the browser/OS), or is signed by a global CA certificate (a commercial entity like Verisign, Comodo, etc.) that is already in those truststores.

Basically the steps you need to take are:

Copy the contents of all three "*.cer" files you received into a single text file (include the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines for each) called "chain.pem". It should look like:
1. -----BEGIN CERTIFICATE----- Abcd... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- 1234... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Wxyz... -----END CERTIFICATE-----
Import this signed certificate chain into the keystore using the same alias as the private key that already exists (appears to be server based on your question above)
1. keytool -import -trustcacerts -alias server -file chain.pem -keystore keystore.jks

Re: Apache NiFi using non self-signed certificates

davis_tran — Thu, 25 Apr 2019 01:04:59 GMT

Awesome, that worked! Thanks for the help, I appreciate it!

Re: Apache NiFi using non self-signed certificates

davis_tran — Sat, 27 Apr 2019 22:53:22 GMT

Hey @Andy LoPresto, now that I have this secure instance setup how would I go about Site-to-Site communication with another secure NiFi instance?

These are the list of certificates I have:

NiFi Instance A:

nifi.cer
nifi.p7b
root-CA.cer
issuing-CA.cer

Nifi Instance B:

nifi.cer
nifi.p7b
root-CA.cer
issuing-CA.cer

Do you know of any resources that would help me with the subject of matter at hand and what you would call it (SSL? TLS? Installing Certificates?)? I am having trouble understanding what my issue is to know what to research to learn enough so that I can avoid asking questions that have already been answered.

Thanks!

Re: Apache NiFi using non self-signed certificates

gnat — Fri, 19 Nov 2021 05:54:28 GMT

How to download the tool, is there a free one?

question Re: Apache NiFi using non self-signed certificates in Support Questions

Apache NiFi using non self-signed certificates

Re: Apache NiFi using non self-signed certificates

Re: Apache NiFi using non self-signed certificates

Re: Apache NiFi using non self-signed certificates

Re: Apache NiFi using non self-signed certificates

Re: Apache NiFi using non self-signed certificates