Support Questions
Find answers, ask questions, and share your expertise

NIFI: tls-toolkit.sh - error when generating client certificates

Hello. I am trying to use the tls-toolkit.sh utility to create some client certificates. We are running HDF-2.1.4.0 which is NIFI version 1.1.0. We have a two node cluster with the Certificate Authority installed on one of the two servers. We are running the commands below as root.

I am using this as a reference -

https://docs.hortonworks.com/HDPDocuments/HDF2/HDF-2.1.4/bk_administration/content/client.html

I am running the command from -

/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/files/nifi-toolkit-$version

Command is the following - tls-toolkit.sh client -c servername.domain.com -D "CN=admin, OU=NIFI" -t nifi -p 10443 -T pkcs12

When I run this command I get a error like this:

tls-toolkit.sh: JAVA_HOME not set; results may vary
2017/08/09 10:08:18 INFO [main] org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine: Command line argument --keyStoreType=pkcs12 only applies to keystore, recommended truststore type of JKS unaffected.
2017/08/09 10:08:19 INFO [main] org.apache.nifi.toolkit.tls.service.client.TlsCertificateAuthorityClient: Requesting new certificate from servername.domain.com:10443
2017/08/09 10:08:19 INFO [main] org.apache.nifi.toolkit.tls.service.client.TlsCertificateSigningRequestPerformer: Requesting certificate with dn CN=admin,OU=NIFI.maritz.com from servername.domain.com:10443
Service client error: Received response code 500 with payload <html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 500 </title>
</head>
<body>
<h2>HTTP ERROR: 500</h2>
<p>Problem accessing /. Reason:
<pre> javax.servlet.ServletException: Server error</pre></p>
<hr /><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.3.9.v20160517</a><hr/>
</body>
</html>

In the /var/log/nifi/nifi-ca.std.out file I see this:

2017/08/09 13:29:31 WARN [qtp1653844940-8] org.eclipse.jetty.server.HttpChannel: https://servername.domain.com:10443/
javax.servlet.ServletException: Server error
at org.apache.nifi.toolkit.tls.service.server.TlsCertificateAuthorityServiceHandler.handle(TlsCertificateAuthorityServiceHandler.java:99)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)
at org.eclipse.jetty.server.Server.handle(Server.java:524)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:319)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:253)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:186)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
at java.lang.Thread.run(Thread.java:745)

Any suggestions on what it might be looking for?

Thanks in advance

Kirk

1 REPLY 1

New Contributor

Hi Kirk DeMumbrane,

In the below command,

tls-toolkit.sh client -c servername.domain.com -D "CN=admin, OU=NIFI" -t nifi -p 10443 -T pkcs12

t is the CA Token, which shall be of minimum 16 characters.

Cheers,

Sarath Tammisetty.

; ;