Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

How we ignore hostname verification certificate for minifi iot device in invokehttp in NIFI

Labels:
avatar
author-rank nifirequest
New Member

Created ‎10-03-2025 03:40 AM

Hello Team,

Currently we use NiFi’s InvokeHTTP to send files to a MiNiFi IoT device. The MiNiFi listenhttp is configured in the YAML and we are calling the device with:

http + ip (device)+port

Security requires we move this to HTTPS. On the NiFi side we configured SSLServiceContext and added a truststore. On the MiNiFi device we configured listenhttp in its YAML and provided a keystore and truststore (certificates are not machine-signed). After switching to HTTPS we see a hostname verification error 

Question: is there a supported option in Cloudera / NiFi’s InvokeHTTP to use only a truststore and skip hostname verification? Alternatively, is there a recommended way to bypass or relax hostname verification on the MiNiFi side so the call succeeds?

 

Thanks

40 Views
0 Kudos
1 REPLY 1

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎10-03-2025 09:27 AM

@nifirequest 

Welcome to the community!

The Apache NiFi community decided to remove the trusted hostname property from InvokeHTTP back in the 1.10 release.  By having this property the processor allowed for an insecure connection because user could simply add the unverified hostname in this property and the InvokeHTTP processor would then allow the connection to be successful.  Thus allowing user to perhaps unknowingly be exposing themselves to unsecure connections.

This option was removed in https://issues.apache.org/jira/browse/NIFI-6019

The purpose of hostname verification is to prevent man in the middle style attacks where client expects to connect to host ABC; however, the server that responded was not known as server ABC.   All the possible hostnames a server is known as need to be included as SubjectAlternativeName (SAN) entries in the server certificate.  

The ERROR you received in your InvokeHTTP about "Hostname ABC not verified" should have also included the list of SubjectAltNames that came from the server's certificate.  You should be using one of those SAN entries in the URL you have configured in the InvokeHTTP processor or you  should address the certificate being used by the listenHTTP to include the additional SAN (IPs or hostnames) also used to access the MiNiFi listener.

For one-way TLS connection the server side (ListenHTTP) must have a keystore and truststore.  The client side (InvokeHTTP) must have a truststore configured.
For MutualTLS both the server side and client side need to have both a keystore and truststore.   
You can't create a secured TLS enabled server without a serverAuth certificate.
Hostname verification happens on the client side and not the server side.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

22 Views
0 Kudos
Announcements
What's New @ Cloudera
Upgrade Your Spark Experience: Introducing CDS 3.5 for Cloud...
Community Announcements
August 2025 Community Highlights
Community Announcements
July 2025 Community Highlights
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
Join Us at CommunityOverCode Asia 2025: Exploring the Future...
View More Announcements