I'd like to enable SSL for my Nifi cluster.
A few background:
- I have only 2 nodes: 1 Nifi node, 1 Ambari node.
- I followed this article to generate CA/keystore/truststore and client certification: https://community.hortonworks.com/articles/17293/how-to-create-user-generated-keys-for-securing-nif....
I restarted Nifi (things looks good in the log, I'm pretty sure Nifi is running since I saw some processor in my data flow such as PutCassandra is doing its job).
I imported the certificate to my browser as instructed in the article, I access the Nifi UI at: https://my_host_name.com:9091/nifi.
The page then show me Nifi logo with message: "ProcessingException: java.io.IOException: HTTPS hostname wrong: should be <my_host_name.com>"
- This is some setting from my nifi.property:
- This is content of certification that I imported into my browser:
/usr/jdk64/jdk1.8.0_77/jre/bin/keytool -v -list -keystore server.p12 -storetype PKCS12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: server
Creation date: Feb 7, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Owner: EMAILADDRESS=myemail, CN=my_name_host.com, OU=Dev, O=xxx, L=Saint Petersburg, ST=FL, C=US
Issuer: EMAILADDRESS=issuer_email, CN=Ingestion, OU=Dev, O=Bloom, L=Saint Petersburg, ST=FL, C=US
Serial number: f8be97fb1daa21c8
Valid from: Thu Feb 07 08:53:09 EST 2019 until: Sun Feb 06 08:53:09 EST 2022
Signature algorithm name: SHA256withRSA
- The "CN" in my certificate looks exactly same with nifi server's hostname - why would I receive this error?
Would you give me some hints to troubleshoot it?
Hi @Geoffrey Shelton Okot:
Thank you for taking a look. I'm sorry I didn't get notification from your response till now - my apology for that.
I confirmed the "nifi.web.https.host" changed to "my_host_name.com"; but still the same issue.
Thank you for the hint. I changed the name of that host.
The "hostname -f" now shows "my_host_name.com" correctly but still the same issue in the Nifi UI.
This is what I did:
Few logs from Nifi which would indicate Nifi picked up the change in hostname:
2019-02-13 09:06:20,577 INFO [main] o.a.nifi.web.server.HostHeaderHandler Determined 11 valid hostnames and IP addresses for incoming headers: 127.0.0.1, 127.0.0.1:9091, localhost, localhost:9091, [::1], [::1]:9091, my_host_name.com, my_host_name.com:9091, my_host_IP, my_host_IP:9091, 2019-02-13 09:06:20,577 INFO [main] org.apache.nifi.web.server.JettyServer Created HostHeaderHandler [HostHeaderHandler for my_host_name.com:9091]
I'm accessing Nifi UI via: https://my_host_name.com:9091/nifi/; it then returns:
javax.ws.rs.ProcessingException: java.io.IOException: HTTPS hostname wrong: should be <my_host_name.com>
This is content of my certification showed in Firefox:
Issued to: Eemail@example.com,CN=my_host_name.com,OU=Dev,O=ABC,L=Saint Petersburg,ST=FL,C=US Serial number: 00:F8:BE:97:FB:1D:AA:21:C8 Valid from February 7, 2019, 8:53:09 AM GMT-5 to February 6, 2022, 8:53:09 AM GMT-5 Email addresses: firstname.lastname@example.org Issued by: Eemail@example.com,CN=Ingestion,OU=Dev,O=Bl,L=Saint Petersburg,ST=FL,C=US Stored on: Software Security Device