Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

NiFi Error javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified

NiFi Error javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified

New Contributor

Current version: 1.6.0
Upgrade version: 1.8.0

Applying the cluster, accessing the ui results in an error.

(x.x.x.x is hostname, my server ip..)

The key was not created as a wildcard.


---UI Error---

javax.net.ssl.SSLPeerUnverifiedException: Hostname x.x.x.x not verified: certificate: sha256/cj+QcD4F2YafhbXSeRmuLznbS24EWVhAvCbU71aVGWo= DN: CN=x,x,x,x, OU=NIFI subjectAltNames: [x.x.x.x]


---api access error---

https://x.x.x.x:1234/nifi-api/flow/current-user

javax.net.ssl.SSLPeerUnverifiedException: Hostname x.x.x.x not verified:    certificate: sha256/!!!#$@!#qtA3h/Nhqm7wcLzM=    DN: CN=x.x.x.x, OU=NIFI    subjectAltNames: [x.x.x.x]

---log Error---

2019-04-08 08:26:28,522 WARN [Replicate Request Thread-5] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/flow/current-user to x.x.x.x:9443 due to javax.net.ssl.SSLPeerUnverifiedException: Hostname x.x.x.x not verified:
 certificate: sha256/IiBnANAzEOL~~~qm7wcLzM=
 DN: CN=x.x.x.x, OU=NIFI
 subjectAltNames: [x.x.x.x]
2019-04-08 08:26:28,523 WARN [Replicate Request Thread-5] o.a.n.c.c.h.r.ThreadPoolRequestReplicator
javax.net.ssl.SSLPeerUnverifiedException: Hostname x.x.x.x not verified:
certificate: sha256/IiBnANAzEOLVg+DipeiOT+fkIDpqtA3h/Nhqm7wcLzM=
DN: CN=x.x.x.x, OU=NIFI
subjectAltNames: [x.x.x.x]
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:270)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:162)
at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:257)
at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135)
at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:126)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200)
at okhttp3.RealCall.execute(RealCall.java:77)
at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:138)
at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:132)
at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:647)
at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:839)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)


--- keystore.jks------

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: nifi-key
Creation date: Apr 5, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=x.x.x.x, OU=NIFI
Issuer: CN=x.x.x.x, OU=NIFI
Serial number: 169ec64~~~~00
Valid from: Fri Apr 05 07:26:15 UTC 2019 until: Mon Apr 04 07:26:15 UTC 2022
Certificate fingerprints:
MD5: 6B:70:04~~6:FF:CD:D1:29:E4
SHA1: 88:~~~~:AE:8B:9B:10:BF:F4
SHA256: 90:5A:FA:AF:B7:~~~~:7F:CE:89:95:64:BC:C1:53:E8:E6:58:30:7B:AC
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C8 B4~~~~~~~~ D0 12 8D A4 5C ...oNB.(.......\
0010: 1D 6C 42 FC .lB.
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
 clientAuth
 serverAuth
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
]

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
 DNSName: x.x.x.x
]

#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0B F7 ~~F5 2C B8 ..Y.vu..?P....,.
0010:~~7 32 ...2
]
]

Certificate[2]:
Owner: CN=x.x.x.x, OU=NIFI
Issuer: CN=x.x.x.x, OU=NIFI
Serial number: 169ec64~~000000
Valid from: Fri Apr 05 07:26:15 UTC 2019 until: Mon Apr 04 07:26:15 UTC 2022
Certificate fingerprints:
MD5: 94:F8:68:14~~~~E2:08:29:55:B8:D6:7D
SHA1: 5B:E6:A1:D1:2A:4F:27:~~~:9E:85:1F:66:77:68:4C:C9:55:27:95:FD
SHA256: 67:33:71~~A:1F:EF:1D:57:7E:BB:13:2F:4C:94:1F:B2:58:59:70
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C8 B4 80~~E 08 D0 12 8D A4 5C ...oNB.(.......\
0010: 1D 6C 42 FC ~~.lB.
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:21474~~7
]

#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
Key_CertSign
Crl_Sign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C8 B4 80 6F 4E ~~ 8D A4 5C ...oNB.(.......\
0010: 1D 6C 42 FC .lB.
]
]

*******************************************
*******************************************

I don't know what the problem.


+I have no choice but to use the domain name and host name as an ip.
I understand that the key tool provided by the nifi only provides the domain name of the character. as follows
SubjectAlternativeName [
DNSName: nifi-1
]

But I want to use it as follows.
(x.x.x.x is my ip address.)
SubjectAlternativeName [
DNSName: x.x.x.x
IPAddress: x.x.x.x
]

tell me how to create a key with Java toolkit.

3 REPLIES 3
Highlighted

Re: NiFi Error javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified

New Contributor

I solve this problem my self Using 'KeyStore Explore'.

SubjectAlternativeName [
DNSName: x.x.x.x
IPAddress: x.x.x.x
]

Highlighted

Re: NiFi Error javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified

Explorer

Hi @juhee13_kim ,

How did you resolved the issue. I am also getting the same exception.

An unexpected error has occurred
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXXXXXX not verified: certificate: sha256/Kt0

 

Any help is apprecieted.

Highlighted

Re: NiFi Error javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified

New Contributor

how to add the IPAddress into the SubjectAlternativeName with the tls-toolkit.sh?

Don't have an account?
Coming from Hortonworks? Activate your account here