Support Questions
Find answers, ask questions, and share your expertise

HDF Nifi doesn't start due to Nifi CA failure

I have HDF Nifi 2.4 cluster (on Ambari) installed on my Ubuntu 14.04 on my laptop. All my services have started accept Nifi due to failure of Nifi Certificate authority failure. I have generated my own certs, assigned and configured my keystore and truststore for enabled ssl. However, service is not starting.. Kindly suggest a workaround, Also it is possible to start Nifi without Nifi CA (i.e. without enabling ssl) for a standalone installation? If so, How can I change my conf to not to look upto Nifi CA during start service request.

Note: For reference I am attaching my error txt files for Nifi, Nifi CA and nifi.properties

Please suggest a solution for both ssl enabled and ssl less HDF environment (In Ambari)

Thanks

-

4 REPLIES 4

Contributor

Hi @Saurabh Verma

If you want to generate all your own certificates, you don't need the NiFi Certificate Authority. You should be able to remove it through the ambari interface by selecting the hosts section at the top, clicking on the only entry in there (your laptop) and selecting to remove NiFi CA from that host on the next page.

During fresh install if you don't want to use it, it should not be assigned to any nodes during setup wizard portion for clients and slave services.

NiFi CA exists to make the configuration of TLS security easier when you don't want/need full control over certificate generation. To use it, you just have to have it on a node, check the enable ssl checkbox, set initial admin, token, and node identities. It takes care of all keystore, truststore generation.

Thanks @Brosander for your quick reply.

Even though I deleted this Nifi CA Service my host. But I am still unable to start my Nifi. It is generating same error as attached with my previous mail.

Now I added it again and tried troubleshooting from the failed command from this error file and I found that it is refusing connection when I am trying to generate keystore

./files/nifi-toolkit-1.1.0.2.1.1.0-2/bin/tls-toolkit.sh client -c latitude -D 'CN=admin, OU=NIFI' -p 10443 -t some$tring

and I get an error of CONNECTION REFUSED with following info:

INFO [main] org.apache.nifi.toolkit.tls.service.client.TlsCertificateSigningRequestPerformer: Requesting certificate with dn CN=admin,OU=NIFI from latitude:10443 Service client error: Connect to latitude:10443 [latitude/127.0.0.1] failed: Connection refused (Connection refused)

plz help this get resolved..

Contributor

Could you please attach a screenshot of the summary screen for NiFi? (If you click on the NiFi section on the left of the screen in summary view)

Thanks @Brosander for your quick reply.

Even though I deleted this Nifi CA Service my host. But I am still unable to start my Nifi. It is generating same error as attached with my previous mail.

Now I added it again and tried troubleshooting from the failed command from this error file and I found that it is refusing connection when I am trying to generate keystore

./files/nifi-toolkit-1.1.0.2.1.1.0-2/bin/tls-toolkit.sh client -c latitude -D 'CN=admin, OU=NIFI' -p 10443 -t some$tring

and I get an error of CONNECTION REFUSED with following info:

INFO [main] org.apache.nifi.toolkit.tls.service.client.TlsCertificateSigningRequestPerformer: Requesting certificate with dn CN=admin,OU=NIFI from latitude:10443 Service client error: Connect to latitude:10443 [latitude/127.0.0.1] failed: Connection refused (Connection refused)

plz help this get resolved..