Support Questions

Find answers, ask questions, and share your expertise

Apache Nifi Invalid SNI

avatar
New Contributor

Hello i just installed APACHE Nifi in Linux CentOS and for testing purposes i have this configuration in nifi.properties <pre>nifi.web.https.host=127.0.0.1 nifi.web.https.port=8443 </pre> I saw a solution from here saying that Jetty 10 doesn't accept IP address but instead hostnames, so what I did was to change etc/hosts to 127.0.0.1 -> nifi.local and used that nifi.web.https.host=nifi.local for the configuration of the nifi.properties file. I run in browser https://nifi.local:8443 and i get the same error:( Can someone assist please?

`HTTP ERROR 400 Invalid SNI URI: /nifi STATUS: 400 MESSAGE: Invalid SNI SERVLET: - CAUSED BY: org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI Caused by:

org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:266) at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:207) at org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1594) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501) at org.eclipse.jetty.server.HttpChannel.run(HttpChannel.java:461) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149) at java.base/java.lang.Thread.run(Thread.java:1583)

5 REPLIES 5

avatar
New Contributor

Just to update on what I use. Is latest Nifi 2.0 with Java 21. I double tripled check the nifi.properties file and straight out of the box the keystorep12 and truststorep12 files seem correct. I tried many combinations of IP addresses in the nifi.web.https.host field including raw adresses and hostnames but nothing works for me.. If someone with more experience could help me i would greatly appreciate it! 

avatar
New Contributor

did you find a solution ? @Vas 

avatar
Master Mentor

@Vas 
The straight out of the box generated keystore and truststore will not have "nifi.local" as a SAN entry.  

You could generate your own keystore and truststore with needed SAN entry(s).

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt



avatar
Super Guru

Hi,

In 2.0 , the only thing that worked specially if you use out of the box ssl configuration is placing localhost in nifi.web.https.host property. To use the machine FQDN you need to configure new ssl truststore and keystore against that domain.

avatar
Expert Contributor