https://community.cloudera.com/t5/Support-Questions/Securing-NiFi-Cannot-see-UI/m-p/283258#M210542 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/71309">@frassis</a>&nbsp;</P><P>&nbsp;</P><P>The error message you have encountered indicates and issue with the certificates you are using to secure your NiFi nodes.</P><P>&nbsp;</P><LI-CODE lang="markup">javax.net.ssl.SSLPeerUnverifiedException: Hostname &lt;my_fqdn_is_here&gt; not verified: certificate: sha256/716mOuXyoAKqzNrXrNnG2ozHXwN8WWJsVxzWzfQzpNV= DN: CN=xxx-xxxx-xxxx.xxx.xxx.net, OU=XXXXXXXXX XXXXXX, O=XXXXX, L=XXXXXX, ST=XXXXXX XXXXX, C=CA subjectAltNames: [] </LI-CODE><P><SPAN><BR /></SPAN>Jetty no longer uses the DN to verify hostnames and now requires that the certificates include at least 1 Subject Alternative Name (SAN) entry that matches the hostname of the server on which it is being used.<BR /><BR />As you can see from the ERROR output, it indicates you have no SAN entries in your cert.&nbsp;&nbsp;</P><LI-CODE lang="markup">subjectAltNames: []</LI-CODE><P>&nbsp;</P><P>You will need to generate new certificates and keystores for your NiFi nodes.<BR />When doing so keep in mind the following:<BR />1. Keystore may contain ONLY 1 PrivateKeyEntry<BR />2. The PrivateKeyEntry MUST support both "clientAuth" and "serverAuth"<BR />3. The PrivateKeyEntry MUST contain at least 1 SAN entry matching the hostname of the server where keystore will be used.<BR />4. The Keystore and Key passwords must be the same. Or no key password set.<BR /><BR />Thank you,</P><P>Matt</P> Mon, 18 Nov 2019 13:49:19 GMT MattWho 2019-11-18T13:49:19Z https://community.cloudera.com/t5/Support-Questions/Securing-NiFi-Cannot-see-UI/m-p/283129#M210447 <P>Hi folks,</P> <P>&nbsp;</P> <P>We have been struggling for the past 3 weeks trying to secure a cluster.</P> <P>We have 3 nodes. They were working ok in a cluster (but not secured).</P> <P>When trying to secure those (and following the guide suggested here), we came across the following message when trying to access the UI:</P> <P>&nbsp;</P> <P><SPAN>javax.net.ssl.SSLPeerUnverifiedException: Hostname &lt;my_fqdn_is_here&gt; not verified: certificate: sha256/716mOuXyoAKqzNrXrNnG2ozHXwN8WWJsVxzWzfQzpNV= DN: CN=xxx-xxxx-xxxx.xxx.xxx.net, OU=XXXXXXXXX XXXXXX, O=XXXXX, L=XXXXXX, ST=XXXXXX XXXXX, C=CA subjectAltNames: []</SPAN>&nbsp;</P> <P>&nbsp;</P> <P>We've been going over and over the configs and nothing seems to point to the right direction.<BR /><BR />Would anyone point us to at least the right direction?&nbsp;</P> Fri, 15 Nov 2019 23:09:05 GMT https://community.cloudera.com/t5/Support-Questions/Securing-NiFi-Cannot-see-UI/m-p/283129#M210447 frassis 2019-11-15T23:09:05Z https://community.cloudera.com/t5/Support-Questions/Securing-NiFi-Cannot-see-UI/m-p/283137#M210454 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/71309">@frassis</a>&nbsp;You wrote that you were "<SPAN>&nbsp;following the guide suggested here", but there was no indication as to what guide you were actually following. Did you perhaps forget the hyperlink?</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 15 Nov 2019 23:12:31 GMT https://community.cloudera.com/t5/Support-Questions/Securing-NiFi-Cannot-see-UI/m-p/283137#M210454 ask_bill_brooks 2019-11-15T23:12:31Z https://community.cloudera.com/t5/Support-Questions/Securing-NiFi-Cannot-see-UI/m-p/283258#M210542 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/71309">@frassis</a>&nbsp;</P><P>&nbsp;</P><P>The error message you have encountered indicates and issue with the certificates you are using to secure your NiFi nodes.</P><P>&nbsp;</P><LI-CODE lang="markup">javax.net.ssl.SSLPeerUnverifiedException: Hostname &lt;my_fqdn_is_here&gt; not verified: certificate: sha256/716mOuXyoAKqzNrXrNnG2ozHXwN8WWJsVxzWzfQzpNV= DN: CN=xxx-xxxx-xxxx.xxx.xxx.net, OU=XXXXXXXXX XXXXXX, O=XXXXX, L=XXXXXX, ST=XXXXXX XXXXX, C=CA subjectAltNames: [] </LI-CODE><P><SPAN><BR /></SPAN>Jetty no longer uses the DN to verify hostnames and now requires that the certificates include at least 1 Subject Alternative Name (SAN) entry that matches the hostname of the server on which it is being used.<BR /><BR />As you can see from the ERROR output, it indicates you have no SAN entries in your cert.&nbsp;&nbsp;</P><LI-CODE lang="markup">subjectAltNames: []</LI-CODE><P>&nbsp;</P><P>You will need to generate new certificates and keystores for your NiFi nodes.<BR />When doing so keep in mind the following:<BR />1. Keystore may contain ONLY 1 PrivateKeyEntry<BR />2. The PrivateKeyEntry MUST support both "clientAuth" and "serverAuth"<BR />3. The PrivateKeyEntry MUST contain at least 1 SAN entry matching the hostname of the server where keystore will be used.<BR />4. The Keystore and Key passwords must be the same. Or no key password set.<BR /><BR />Thank you,</P><P>Matt</P> Mon, 18 Nov 2019 13:49:19 GMT https://community.cloudera.com/t5/Support-Questions/Securing-NiFi-Cannot-see-UI/m-p/283258#M210542 MattWho 2019-11-18T13:49:19Z https://community.cloudera.com/t5/Support-Questions/Securing-NiFi-Cannot-see-UI/m-p/283408#M210647 <P>Hey&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/35454">@MattWho</a>, thank you very much for this.</P><P>&nbsp;</P><P>Quick question, how do you determine if the&nbsp;<SPAN>PrivateKeyEntry supports both?</SPAN></P><P>&nbsp;</P><P>"<SPAN>The PrivateKeyEntry MUST support both "clientAuth" and "serverAuth""?&nbsp; </SPAN></P><P>&nbsp;</P><P><SPAN>I don't see this when i use keytool -v<BR /><BR /></SPAN></P> Tue, 19 Nov 2019 19:34:04 GMT https://community.cloudera.com/t5/Support-Questions/Securing-NiFi-Cannot-see-UI/m-p/283408#M210647 gdizzz 2019-11-19T19:34:04Z https://community.cloudera.com/t5/Support-Questions/Securing-NiFi-Cannot-see-UI/m-p/284560#M211295 <P>Thanks Matt,</P><P>&nbsp;</P><P>With new certs, like you mentioned, we were able to make it work.</P> Mon, 02 Dec 2019 19:19:40 GMT https://community.cloudera.com/t5/Support-Questions/Securing-NiFi-Cannot-see-UI/m-p/284560#M211295 frassis 2019-12-02T19:19:40Z