https://community.cloudera.com/t5/Support-Questions/Understanding-NiFi-Certificates-functionality/m-p/336545#M232293 <P>Hello all,</P><P>Please bear with me if I ask a simple/basic question. I am new to NiFi and appreciate your patience and support.</P><P>I am setting up secure NiFi in 2 clusters. I am using NiFi 1.15.3 version in my setup. My cluster 1 has nodes: node1, node2, node3 and cluster 2 has nodes: node4, node5, node6.</P><P>I have created certificates in my organization by setting node1 as primary node and other nodes as alternative nodes. I use the same certificates in both clusters since I added all the nodes to the certificate when creating it.</P><P>My cluster 1 starts and I can able to login to web ui with admin user without any issues. However, my cluster 2 starts without any issues but when I try to login, it throws:</P><P>Insufficient permission. Untrusted proxy CN=node1, O=xxxx, L=yyyy, ST=zzzz, C=US</P><P>and in logs:</P><P>o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed GET <A href="https://node4:8443/nifi-api/flow/current-user" target="_blank">https://node4:8443/nifi-api/flow/current-user</A> [Untrusted proxy CN=node1, O=xxxx, L=yyyy, ST=zzzz, C=US]</P><P>As a part of troubleshooting, I added the node1 as initial user and node identity in cluster 2's authorizers.xml file. After deleting users.xml and authorizations.xml and restarting the NiFi, I was able to login to web UI.</P><P>My questions:<BR />1. Should I add the certificate's primary node as initial user and node identity where ever I use this certificate?<BR />2. What if the primary node went down for some reason. Will it cause any issue?<BR /><BR />Appreciate any help on this.</P><P>Regards</P> Thu, 17 Feb 2022 21:22:40 GMT spserd 2022-02-17T21:22:40Z https://community.cloudera.com/t5/Support-Questions/Understanding-NiFi-Certificates-functionality/m-p/336545#M232293 <P>Hello all,</P><P>Please bear with me if I ask a simple/basic question. I am new to NiFi and appreciate your patience and support.</P><P>I am setting up secure NiFi in 2 clusters. I am using NiFi 1.15.3 version in my setup. My cluster 1 has nodes: node1, node2, node3 and cluster 2 has nodes: node4, node5, node6.</P><P>I have created certificates in my organization by setting node1 as primary node and other nodes as alternative nodes. I use the same certificates in both clusters since I added all the nodes to the certificate when creating it.</P><P>My cluster 1 starts and I can able to login to web ui with admin user without any issues. However, my cluster 2 starts without any issues but when I try to login, it throws:</P><P>Insufficient permission. Untrusted proxy CN=node1, O=xxxx, L=yyyy, ST=zzzz, C=US</P><P>and in logs:</P><P>o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed GET <A href="https://node4:8443/nifi-api/flow/current-user" target="_blank">https://node4:8443/nifi-api/flow/current-user</A> [Untrusted proxy CN=node1, O=xxxx, L=yyyy, ST=zzzz, C=US]</P><P>As a part of troubleshooting, I added the node1 as initial user and node identity in cluster 2's authorizers.xml file. After deleting users.xml and authorizations.xml and restarting the NiFi, I was able to login to web UI.</P><P>My questions:<BR />1. Should I add the certificate's primary node as initial user and node identity where ever I use this certificate?<BR />2. What if the primary node went down for some reason. Will it cause any issue?<BR /><BR />Appreciate any help on this.</P><P>Regards</P> Thu, 17 Feb 2022 21:22:40 GMT https://community.cloudera.com/t5/Support-Questions/Understanding-NiFi-Certificates-functionality/m-p/336545#M232293 spserd 2022-02-17T21:22:40Z https://community.cloudera.com/t5/Support-Questions/Understanding-NiFi-Certificates-functionality/m-p/336546#M232294 <P>Hi,&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/95925">@spserd</a>&nbsp;,</P><P>&nbsp;</P><P>Please have a look at this <A href="https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#wildcard_certificates" target="_self">section</A> of the NiFi documentation. It says:</P><P>&nbsp;</P><BLOCKQUOTE><HR />Wildcard certificates (i.e. two nodes node1.nifi.apache.org and node2.nifi.apache.org being assigned the same certificate with a CN or SAN entry of *.nifi.apache.org) are not officially supported and not recommended. There are numerous disadvantages to using wildcard certificates, and a cluster working with wildcard certificates has occurred in previous versions out of lucky accidents, not intentional support. Wildcard SAN entries are acceptable if each cert maintains an additional unique SAN entry and CN entry.<HR /></BLOCKQUOTE><P>Even though you are not using an asterisk wildcard your single certificate doesn't meet the requirements of a unique SAN and CN entries and is not recommended/supported. You should have separate certificates for each host.<BR /><BR /></P><P>Cheers,</P><P>André</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 17 Feb 2022 22:41:58 GMT https://community.cloudera.com/t5/Support-Questions/Understanding-NiFi-Certificates-functionality/m-p/336546#M232294 araujo 2022-02-17T22:41:58Z https://community.cloudera.com/t5/Support-Questions/Understanding-NiFi-Certificates-functionality/m-p/336603#M232316 <P>Thanks Andre. Appreciate your help!</P> Fri, 18 Feb 2022 14:04:15 GMT https://community.cloudera.com/t5/Support-Questions/Understanding-NiFi-Certificates-functionality/m-p/336603#M232316 spserd 2022-02-18T14:04:15Z