Tom,

I responded to your E-mail on the user group. The information here seems a little bit different. I see the error "Peer certificate cannot be authenticated" This is an error through curl when target SSL chain cannot be authenticated. I see some messages which show empty certs. Can you provide your configuration yaml?

The agent should attempt to use the procedures linked by @Timothy Spann for backwards compatibility ; however, it seems that from the following lines, there is a context service or the paths found were not good ( it's actually supposed to print a path before 'not good') . If you can provide your configuration YAML we should be able to help:

1. [2018-03-10 19:13:58.149] [org::apache::nifi::minifi::controllers::SSLContextService] [info] not good
2. [2018-03-10 19:13:58.149] [org::apache::nifi::minifi::controllers::SSLContextService] [warning] still not good

Also please make the following change.

nifi.https.*

should be

nifi.remote.input.secure=true

nifi.security.need.ClientAuth=true

nifi.security.client.certificate=XXX

nifi.security.client.private.key=XXX

nifi.security.client.pass.phrase=XXX

nifi.security.client.ca.certificate=XXX

nifi.remote.input.socket.port=XXX

Are you attempting to use HTTP site to site?

You will then need to add the following

nifi.remote.input.http.enabled=true

Please note you will not need to define an SSLContextService. To maintain backwards compatibility we will generate one internally for you using the above settings. Thanks

Thanks for your reply @mparisi, and also through the forums. My config.yml is below but to answer/query a few of your other queries:

- Yes, I'm using HTTP rather than RAW. Its worked fine with all SSL security switched off at both ends but fails when I try to put SSL in place.

- I have nifi.remote.input.http.enabled=true at the nifi end, and assume if I didn't then it wouldn't work with or without security?

- I have all of those settings you have specified in minifi.properties set up (you will see on the pastebin I linked) but as nifi.https... rather than nifi.security... is this a change because I was using the minifi.properties file that came from the repo? The only setting I don't have is nifi-remote.input.socket.port but is this required for HTTP or just for RAW?

MiNiFi Config Version: 3
Flow Controller:
  name: collect_squid-0 0 3
  comment: ''
Core Properties:
  flow controller graceful shutdown period: 10 sec
  flow service write delay interval: 500 ms
  administrative yield duration: 30 sec
  bored yield duration: 10 millis
  max concurrent threads: 1
  variable registry properties: ''
FlowFile Repository:
  partitions: 256
  checkpoint interval: 2 mins
  always sync: false
  Swap:
    threshold: 20000
    in period: 5 sec
    in threads: 1
    out period: 5 sec
    out threads: 4
Content Repository:
  content claim max appendable size: 10 MB
  content claim max flow files: 100
  always sync: false
Provenance Repository:
  provenance rollover time: 1 min
  implementation: org.apache.nifi.provenance.MiNiFiPersistentProvenanceRepository
Component Status Repository:
  buffer size: 1440
  snapshot frequency: 1 min
Security Properties:
  keystore: ''
  keystore type: ''
  keystore password: ''
  key password: ''
  truststore: ''
  truststore type: ''
  truststore password: ''
  ssl protocol: ''
  Sensitive Props:
    key:
    algorithm: PBEWITHMD5AND256BITAES-CBC-OPENSSL
    provider: BC
Processors:
- id: 7e56473a-44c9-3c1a-0000-000000000000
  name: Get_access.log
  class: org.apache.nifi.processors.standard.TailFile
  max concurrent tasks: 1
  scheduling strategy: TIMER_DRIVEN
  scheduling period: 10 sec
  penalization period: 30 sec
  yield period: 1 sec
  run duration nanos: 0
  auto-terminated relationships list: []
  Properties:
    File Location: Local
    File to Tail: /var/log/squid/access.log
    Initial Start Position: Beginning of File
    Rolling Filename Pattern:
    tail-base-directory:
    tail-mode: Single file
    tailfile-lookup-frequency: 10 minutes
    tailfile-maximum-age: 24 hours
    tailfile-recursive-lookup: 'false'
- id: de9e8a3f-3cc3-356b-0000-000000000000
  name: UpdateAttribute
  class: org.apache.nifi.processors.attributes.UpdateAttribute
  max concurrent tasks: 1
  scheduling strategy: TIMER_DRIVEN
  scheduling period: 0 sec
  penalization period: 30 sec
  yield period: 1 sec
  run duration nanos: 0
  auto-terminated relationships list: []
  Properties:
    Delete Attributes Expression:
    Stateful Variables Initial Value:
    Store State: Do not store state
    host_name: ${hostname()}
    tenant: '''TheBerties'''
  annotation data: |-
    <criteria>
        <flowFilePolicy>USE_ORIGINAL</flowFilePolicy>
    </criteria>
Controller Services: []
Process Groups: []
Input Ports: []
Output Ports: []
Funnels: []
Connections:
- id: 2f59bfb7-7564-31d9-0000-000000000000
  name: Get_access.log/success/UpdateAttribute
  source id: 7e56473a-44c9-3c1a-0000-000000000000
  source relationship names:
  - success
  destination id: de9e8a3f-3cc3-356b-0000-000000000000
  max work queue size: 10
  max work queue data size: 500 MB
  flowfile expiration: 0 sec
  queue prioritizer class: ''
- id: e82df80d-1992-3ce4-0000-000000000000
  name: UpdateAttribute/success/05664ac9-0162-1000-0000-00000c9a533d
  source id: de9e8a3f-3cc3-356b-0000-000000000000
  source relationship names:
  - success
  destination id: 05664ac9-0162-1000-0000-00000c9a533d
  max work queue size: 10
  max work queue data size: 500 MB
  flowfile expiration: 0 sec
  queue prioritizer class: ''
Remote Process Groups:
- id: 42ac92f5-eeba-33a1-0000-000000000000
  name: ''
  url: https://nifi1.dev.cyhesion.com:9091/nifi
  comment: ''
  timeout: 30 sec
  yield period: 10 sec
  transport protocol: HTTP
  proxy host: ''
  proxy port: ''
  proxy user: ''
  proxy password: ''
  local network interface: ''
  Input Ports:
  - id: 05664ac9-0162-1000-0000-00000c9a533d
    name: Received_from_Minifi
    comment: ''
    max concurrent tasks: 1
    use compression: false
  Output Ports: []
NiFi Properties Overrides: {}

Many thanks for your support,

Tom

Further to my last, I've changed the nifi.https... to nifi.security... (sorry @Timothy Spann, I hadn't noticed the difference between the provided minifi.properties and the article). I have also put in an entry for nifi.remote.input.http.enabled=true and one for the nifi.remote.input.socket.port=XXX. My minfi.properties is now as follows:

# Core Properties #
nifi.version=0.1.0
nifi.flow.configuration.file=./conf/config.yml
nifi.administrative.yield.duration=30 sec
# If a component has no work to do (is "bored"), how long should we wait before checking again for work?
nifi.bored.yield.duration=10 millis
# Provenance Repository #
nifi.provenance.repository.directory.default=${MINIFI_HOME}/provenance_repository
nifi.provenance.repository.max.storage.time=1 MIN
nifi.provenance.repository.max.storage.size=1 MB
nifi.flowfile.repository.directory.default=${MINIFI_HOME}/flowfile_repository
nifi.database.content.repository.directory.default=${MINIFI_HOME}/content_repository
nifi.remote.input.secure=true
nifi.security.need.ClientAuth=true
nifi.security.client.certificate=./conf/keystore.pem
nifi.security.client.private.key=./conf/keystore.key
nifi.security.client.pass.phrase=./conf/password
nifi.security.client.ca.certificate=./conf/nifi-cert.pem
nifi.remote.input.socket.port=8022
nifi.remote.input.http.enabled=true
#nifi.rest.api.user.name=admin
#nifi.rest.api.password=password
## enable the controller socket provider on port 9998
controller.socket.host=localhost
controller.socket.port=9998

This has removed the SSLContextService issues but it still isn't working. The outstanding errors are listed below.

Thank you for your support and patience. Tom

[2018-03-11 21:09:04.071] [org::apache::nifi::minifi::utils::HTTPClient] [error] curl_easy_perform() failed Peer certificate cannot be authenticated with given CA certificates

[2018-03-11 21:09:04.071] [org::apache::nifi::minifi::RemoteProcessorGroupPort] [error] ProcessGroup::refreshRemoteSite2SiteInfo -- curl_easy_perform() failed

[2018-03-11 21:09:04.071] [org::apache::nifi::minifi::c2::C2Agent] [info] Class is RESTSender
[2018-03-11 21:09:04.073] [org::apache::nifi::minifi::io::Socket] [error] Could not bind to socket
[2018-03-11 21:09:04.074] [org::apache::nifi::minifi::FlowController] [info] Started Flow Controller
[2018-03-11 21:09:04.074] [main] [info] MiNiFi started

Thanks again @Timothy Spann for your support and extensive reply. I've got a couple of questions as a result (-) and replies to yours (+):

- Does minifi use anything other than the https REST API port (in my case 9091) when communicating over secure http sms or does the raw socket also get used?

- Do you know which version from GitHub was used to build the binaries on the Hortonworks centos 7 repo?

+ At the moment I'm operating as root with firewalls disabled at both ends while I try to get things working.

+ I did see the thread in your first link, but it was unclear whether the issue was resolved.

+ Your second link seems to relate to RAW s2s; it's this relevant for http s2s?

+ the book was a great help from the outset, and I used it extensively to get things working. But it hasn't been particularly useful in getting an https link in place

I think my next option had to be building from the latest source, but can't help but feel that there is something fairly simple I'm doing wrong of lots of other people are using the bins on the repo effectively.

Yours, Tom

@mparisi, that is an awesome response, which I will try to action this evening when I'm able to get close enough to my environment to play around. The guilty minifi.properties file is the one contained in the Hortonworks bin for Centos 7 at http://public-repo-1.hortonworks.com/HDF/centos7/3.x/updates/3.1.1.0/tars/nifi-minifi-cpp/nifi-minif...

Many thanks and I'll get back to you (hopefully with a positive resolution), Tom

And to answer your other question @mparisi, yes I'm using Nifi CA and generating certs with tls-toolkit.

Thanks for your response and suggestions @Timothy Spann. I've tested the certs and they seem to be OK. I'm getting a self-signed response of 19 and when I have copied the CA cert into /etc/pki/ca-trust/source/anchors/ it responds 0(OK). Still not joy in getting things connected though. I'm about to start a fresh build from source in the hope that will change things.

Sounds good. Someone from engineering hopefully will help you run this down. I am trying to think what other logs might be useful to post to spot something odd.

In addition to the above response, on my prior response I mentioned that I was getting a domain error after adding my cert to the CA bundle and using the above fix but re-issues my cert so that the domain matched the certificate.

@Tom Burton Thanks for the info. I'll investigate with that profile and make any changes that are needed in the PR, above. Thanks!

That may lock down more things. Maybe you need a stronger cert instead of defaults.