Support Questions
Find answers, ask questions, and share your expertise

Enabling SSL to access Nifi web UI: HTTPS hostname WRONG

Enabling SSL to access Nifi web UI: HTTPS hostname WRONG

Explorer

Hi,

I'd like to enable SSL for my Nifi cluster.

A few background:
- I have only 2 nodes: 1 Nifi node, 1 Ambari node.
- I followed this article to generate CA/keystore/truststore and client certification: https://community.hortonworks.com/articles/17293/how-to-create-user-generated-keys-for-securing-nif....

I restarted Nifi (things looks good in the log, I'm pretty sure Nifi is running since I saw some processor in my data flow such as PutCassandra is doing its job).
I imported the certificate to my browser as instructed in the article, I access the Nifi UI at: https://my_host_name.com:9091/nifi.
The page then show me Nifi logo with message: "ProcessingException: java.io.IOException: HTTPS hostname wrong: should be <my_host_name.com>"


- This is some setting from my nifi.property:
nifi.web.https.host=my_host_name.com.com
nifi.zookeeper.connect.string=my_host_name.com:2181,ambari_node:2181
nifi.remote.input.host=

- This is content of certification that I imported into my browser:

/usr/jdk64/jdk1.8.0_77/jre/bin/keytool -v -list -keystore server.p12 -storetype PKCS12
Enter keystore password:

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: server
Creation date: Feb 7, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: EMAILADDRESS=myemail, CN=my_name_host.com, OU=Dev, O=xxx, L=Saint Petersburg, ST=FL, C=US
Issuer: EMAILADDRESS=issuer_email, CN=Ingestion, OU=Dev, O=Bloom, L=Saint Petersburg, ST=FL, C=US
Serial number: f8be97fb1daa21c8
Valid from: Thu Feb 07 08:53:09 EST 2019 until: Sun Feb 06 08:53:09 EST 2022
Certificate fingerprints:
MD5: D5:0F:C5:E6:48:99:FF:D3:8E:5E:42:80:81:29:2F:91
SHA1: A9:7B:8F:CC:E5:E8:E0:B1:6D:E8:AF:A7:6F:26:66:0C:18:BB:24:4C
SHA256: DD:61:2D:78:22:9A:B3:8F:A8:6B:74:86:B5:03:50:34:11:EF:D3:AB:70:32:58:93:8E:95:25:B0:37:04:66:E1
Signature algorithm name: SHA256withRSA
Version: 1

- The "CN" in my certificate looks exactly same with nifi server's hostname - why would I receive this error?

Would you give me some hints to troubleshoot it?

Thank you.

6 REPLIES 6

Re: Enabling SSL to access Nifi web UI: HTTPS hostname WRONG

Mentor

@Daniel Nguyen

The error being thrown " The page then show me Nifi logo with message: ProcessingException: java.io.IOException: HTTPS hostname wrong: should be <my_host_name.com>" Corresponds to your entry which looks incorrect typo error please can you resolve that and retry


103434-nifi.png

HTH

Re: Enabling SSL to access Nifi web UI: HTTPS hostname WRONG

Mentor

@Daniel Nguyen

Any updates?

Re: Enabling SSL to access Nifi web UI: HTTPS hostname WRONG

Explorer

Hi @Geoffrey Shelton Okot:

Thank you for taking a look. I'm sorry I didn't get notification from your response till now - my apology for that.

I confirmed the "nifi.web.https.host" changed to "my_host_name.com"; but still the same issue.

Re: Enabling SSL to access Nifi web UI: HTTPS hostname WRONG

Mentor

@Daniel Nguyen

I hope you replaced the "my_host_name.com" with the output of

$ hostname -f 

Meaning the FQDN of the nifi host just to be sure we have the same understanding?

Re: Enabling SSL to access Nifi web UI: HTTPS hostname WRONG

Explorer

Hi @Geoffrey Shelton Okot.

Thank you for the hint. I changed the name of that host.

The "hostname -f" now shows "my_host_name.com" correctly but still the same issue in the Nifi UI.

This is what I did:

  • Change hostname of host, confirm output of "hostname -f".
  • Restarted Nifi service.

Few logs from Nifi which would indicate Nifi picked up the change in hostname:

2019-02-13 09:06:20,577 INFO [main] o.a.nifi.web.server.HostHeaderHandler Determined 11 valid hostnames and IP addresses for incoming headers: 127.0.0.1, 127.0.0.1:9091, localhost, localhost:9091, [::1], [::1]:9091, my_host_name.com, my_host_name.com:9091, my_host_IP, my_host_IP:9091, 
2019-02-13 09:06:20,577 INFO [main] org.apache.nifi.web.server.JettyServer Created HostHeaderHandler [HostHeaderHandler for my_host_name.com:9091]

I'm accessing Nifi UI via: https://my_host_name.com:9091/nifi/; it then returns:

javax.ws.rs.ProcessingException: java.io.IOException: HTTPS hostname wrong:  should be <my_host_name.com>

This is content of my certification showed in Firefox:

Issued to: E=admin@abc.com,CN=my_host_name.com,OU=Dev,O=ABC,L=Saint Petersburg,ST=FL,C=US
Serial number: 00:F8:BE:97:FB:1D:AA:21:C8
Valid from February 7, 2019, 8:53:09 AM GMT-5 to February 6, 2022, 8:53:09 AM GMT-5
Email addresses: admin@abc.com
Issued by: E=dnn@abc.com,CN=Ingestion,OU=Dev,O=Bl,L=Saint Petersburg,ST=FL,C=US
Stored on: Software Security Device

Re: Enabling SSL to access Nifi web UI: HTTPS hostname WRONG

Explorer

Hi @Geoffrey Shelton Okot: Do you see anything I would do to troubleshoot this problem?