Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Enabling SSL to access Nifi web UI: HTTPS hostname WRONG

Labels:
avatar
author-rank dnguyen
Explorer

Created ‎02-07-2019 11:28 PM

Hi,

I'd like to enable SSL for my Nifi cluster.

A few background:
- I have only 2 nodes: 1 Nifi node, 1 Ambari node.
- I followed this article to generate CA/keystore/truststore and client certification: https://community.hortonworks.com/articles/17293/how-to-create-user-generated-keys-for-securing-nif....

I restarted Nifi (things looks good in the log, I'm pretty sure Nifi is running since I saw some processor in my data flow such as PutCassandra is doing its job).
I imported the certificate to my browser as instructed in the article, I access the Nifi UI at: https://my_host_name.com:9091/nifi.
The page then show me Nifi logo with message: "ProcessingException: java.io.IOException: HTTPS hostname wrong: should be <my_host_name.com>"


- This is some setting from my nifi.property:
nifi.web.https.host=my_host_name.com.com
nifi.zookeeper.connect.string=my_host_name.com:2181,ambari_node:2181
nifi.remote.input.host=

- This is content of certification that I imported into my browser:

/usr/jdk64/jdk1.8.0_77/jre/bin/keytool -v -list -keystore server.p12 -storetype PKCS12
Enter keystore password:

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: server
Creation date: Feb 7, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: EMAILADDRESS=myemail, CN=my_name_host.com, OU=Dev, O=xxx, L=Saint Petersburg, ST=FL, C=US
Issuer: EMAILADDRESS=issuer_email, CN=Ingestion, OU=Dev, O=Bloom, L=Saint Petersburg, ST=FL, C=US
Serial number: f8be97fb1daa21c8
Valid from: Thu Feb 07 08:53:09 EST 2019 until: Sun Feb 06 08:53:09 EST 2022
Certificate fingerprints:
MD5: D5:0F:C5:E6:48:99:FF:D3:8E:5E:42:80:81:29:2F:91
SHA1: A9:7B:8F:CC:E5:E8:E0:B1:6D:E8:AF:A7:6F:26:66:0C:18:BB:24:4C
SHA256: DD:61:2D:78:22:9A:B3:8F:A8:6B:74:86:B5:03:50:34:11:EF:D3:AB:70:32:58:93:8E:95:25:B0:37:04:66:E1
Signature algorithm name: SHA256withRSA
Version: 1

- The "CN" in my certificate looks exactly same with nifi server's hostname - why would I receive this error?

Would you give me some hints to troubleshoot it?

Thank you.

7,321 Views
0 Kudos
6 REPLIES 6

avatar
author-rank Shelton
Master Mentor

Created on ‎02-08-2019 12:08 AM - edited ‎08-17-2019 02:37 PM

@Daniel Nguyen

The error being thrown " The page then show me Nifi logo with message: ProcessingException: java.io.IOException: HTTPS hostname wrong: should be <my_host_name.com>" Corresponds to your entry which looks incorrect typo error please can you resolve that and retry


103434-nifi.png

HTH

7,007 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎02-08-2019 09:35 AM

@Daniel Nguyen

Any updates?

7,007 Views
0 Kudos

avatar
author-rank dnguyen
Explorer

Created ‎02-11-2019 01:52 PM

Hi @Geoffrey Shelton Okot:

Thank you for taking a look. I'm sorry I didn't get notification from your response till now - my apology for that.

I confirmed the "nifi.web.https.host" changed to "my_host_name.com"; but still the same issue.

7,007 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎02-11-2019 02:05 PM

@Daniel Nguyen

I hope you replaced the "my_host_name.com" with the output of 

$ hostname -f

Meaning the FQDN of the nifi host just to be sure we have the same understanding?

7,007 Views
0 Kudos

avatar
author-rank dnguyen
Explorer

Created ‎02-13-2019 07:09 PM

Hi @Geoffrey Shelton Okot.

Thank you for the hint. I changed the name of that host.

The "hostname -f" now shows "my_host_name.com" correctly but still the same issue in the Nifi UI.

This is what I did:

  • Change hostname of host, confirm output of "hostname -f".
  • Restarted Nifi service.

Few logs from Nifi which would indicate Nifi picked up the change in hostname:

2019-02-13 09:06:20,577 INFO [main] o.a.nifi.web.server.HostHeaderHandler Determined 11 valid hostnames and IP addresses for incoming headers: 127.0.0.1, 127.0.0.1:9091, localhost, localhost:9091, [::1], [::1]:9091, my_host_name.com, my_host_name.com:9091, my_host_IP, my_host_IP:9091, 
2019-02-13 09:06:20,577 INFO [main] org.apache.nifi.web.server.JettyServer Created HostHeaderHandler [HostHeaderHandler for my_host_name.com:9091]

I'm accessing Nifi UI via: https://my_host_name.com:9091/nifi/; it then returns:

javax.ws.rs.ProcessingException: java.io.IOException: HTTPS hostname wrong:  should be <my_host_name.com>

This is content of my certification showed in Firefox:

Issued to: E=admin@abc.com,CN=my_host_name.com,OU=Dev,O=ABC,L=Saint Petersburg,ST=FL,C=US
Serial number: 00:F8:BE:97:FB:1D:AA:21:C8
Valid from February 7, 2019, 8:53:09 AM GMT-5 to February 6, 2022, 8:53:09 AM GMT-5
Email addresses: admin@abc.com
Issued by: E=dnn@abc.com,CN=Ingestion,OU=Dev,O=Bl,L=Saint Petersburg,ST=FL,C=US
Stored on: Software Security Device
7,007 Views
0 Kudos

avatar
author-rank dnguyen
Explorer

Created ‎02-18-2019 05:04 PM

Hi @Geoffrey Shelton Okot: Do you see anything I would do to troubleshoot this problem?

7,007 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements