Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Error Securing NiFi Cluster with a Single Certificate Across 3 Nodes

avatar
Explorer

I have a NiFi cluster consisting of 3 nodes, and I secured the cluster using a single signed certificate for all nodes. However, I am encountering an error that I suspect might be due to using just one certificate.

Error Details:

- Logs: 

[Replicate Request Thread-25] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/flow/current-user to  nifi01:8443 due to javax.net.ssl.SSLPeerUnverifiedException: Hostname nifi01 not verified:

    certificate: sha256/*********/GessD8=

    DN: CN=nifi01

    subjectAltNames: [nifi03,nifi02]

2024-06-13 17:34:07,555 WARN [Replicate Request Thread-25] o.a.n.c.c.h.r.ThreadPoolRequestReplicator

javax.net.ssl.SSLPeerUnverifiedException: Hostname nifi01 not verified:

    certificate: sha256/************/GessD8=

    DN: CN=nifi01

    subjectAltNames: [nifi03,nifi02]

        at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:389)

        at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)

        at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)

        at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)

        at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)

        at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)

        at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)

        at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)

        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)

        at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)

        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)

        at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)

        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)

        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)

        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)

        at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)

        at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154)

        at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:136)

        at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:130)

        at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:645)

        at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:869)

        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)

        at java.util.concurrent.FutureTask.run(FutureTask.java:266)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

        at java.lang.Thread.run(Thread.java:750)

Could using a single certificate for all three nodes(imported in truststore of all nodes) be causing this issue? Any guidance or best practices would be greatly appreciated.

 

2 ACCEPTED SOLUTIONS

avatar
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
3 REPLIES 3

avatar
Community Manager

@helk Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our NiFi experts @SAMSAL @MattWho  who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.


Regards,

Diana Torres,
Community Moderator


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login