Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

NiFi Error javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified

Solved Go to solution
Highlighted

NiFi Error javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified

New Contributor

Current version: 1.6.0
Upgrade version: 1.8.0

Applying the cluster, accessing the ui results in an error.

(x.x.x.x is hostname, my server ip..)

The key was not created as a wildcard.


---UI Error---

javax.net.ssl.SSLPeerUnverifiedException: Hostname x.x.x.x not verified: certificate: sha256/cj+QcD4F2YafhbXSeRmuLznbS24EWVhAvCbU71aVGWo= DN: CN=x,x,x,x, OU=NIFI subjectAltNames: [x.x.x.x]


---api access error---

https://x.x.x.x:1234/nifi-api/flow/current-user

javax.net.ssl.SSLPeerUnverifiedException: Hostname x.x.x.x not verified:    certificate: sha256/!!!#$@!#qtA3h/Nhqm7wcLzM=    DN: CN=x.x.x.x, OU=NIFI    subjectAltNames: [x.x.x.x]

---log Error---

2019-04-08 08:26:28,522 WARN [Replicate Request Thread-5] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/flow/current-user to x.x.x.x:9443 due to javax.net.ssl.SSLPeerUnverifiedException: Hostname x.x.x.x not verified:
 certificate: sha256/IiBnANAzEOL~~~qm7wcLzM=
 DN: CN=x.x.x.x, OU=NIFI
 subjectAltNames: [x.x.x.x]
2019-04-08 08:26:28,523 WARN [Replicate Request Thread-5] o.a.n.c.c.h.r.ThreadPoolRequestReplicator
javax.net.ssl.SSLPeerUnverifiedException: Hostname x.x.x.x not verified:
certificate: sha256/IiBnANAzEOLVg+DipeiOT+fkIDpqtA3h/Nhqm7wcLzM=
DN: CN=x.x.x.x, OU=NIFI
subjectAltNames: [x.x.x.x]
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:316)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:270)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:162)
at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:257)
at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135)
at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:126)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200)
at okhttp3.RealCall.execute(RealCall.java:77)
at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:138)
at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:132)
at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:647)
at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:839)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)


--- keystore.jks------

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: nifi-key
Creation date: Apr 5, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=x.x.x.x, OU=NIFI
Issuer: CN=x.x.x.x, OU=NIFI
Serial number: 169ec64~~~~00
Valid from: Fri Apr 05 07:26:15 UTC 2019 until: Mon Apr 04 07:26:15 UTC 2022
Certificate fingerprints:
MD5: 6B:70:04~~6:FF:CD:D1:29:E4
SHA1: 88:~~~~:AE:8B:9B:10:BF:F4
SHA256: 90:5A:FA:AF:B7:~~~~:7F:CE:89:95:64:BC:C1:53:E8:E6:58:30:7B:AC
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C8 B4~~~~~~~~ D0 12 8D A4 5C ...oNB.(.......\
0010: 1D 6C 42 FC .lB.
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
 clientAuth
 serverAuth
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
]

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
 DNSName: x.x.x.x
]

#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0B F7 ~~F5 2C B8 ..Y.vu..?P....,.
0010:~~7 32 ...2
]
]

Certificate[2]:
Owner: CN=x.x.x.x, OU=NIFI
Issuer: CN=x.x.x.x, OU=NIFI
Serial number: 169ec64~~000000
Valid from: Fri Apr 05 07:26:15 UTC 2019 until: Mon Apr 04 07:26:15 UTC 2022
Certificate fingerprints:
MD5: 94:F8:68:14~~~~E2:08:29:55:B8:D6:7D
SHA1: 5B:E6:A1:D1:2A:4F:27:~~~:9E:85:1F:66:77:68:4C:C9:55:27:95:FD
SHA256: 67:33:71~~A:1F:EF:1D:57:7E:BB:13:2F:4C:94:1F:B2:58:59:70
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C8 B4 80~~E 08 D0 12 8D A4 5C ...oNB.(.......\
0010: 1D 6C 42 FC ~~.lB.
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:21474~~7
]

#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
Key_CertSign
Crl_Sign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C8 B4 80 6F 4E ~~ 8D A4 5C ...oNB.(.......\
0010: 1D 6C 42 FC .lB.
]
]

*******************************************
*******************************************

I don't know what the problem.


+I have no choice but to use the domain name and host name as an ip.
I understand that the key tool provided by the nifi only provides the domain name of the character. as follows
SubjectAlternativeName [
DNSName: nifi-1
]

But I want to use it as follows.
(x.x.x.x is my ip address.)
SubjectAlternativeName [
DNSName: x.x.x.x
IPAddress: x.x.x.x
]

tell me how to create a key with Java toolkit.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: NiFi Error javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified

New Contributor

I have also faced the same issue, where i was running two instances of nifi on VM. As forwarding of ports and its connectivitiy from host browser(like chrome) are having issues, I recreated certificates using SAN - subjectAltNames using tls-toolkit.

 

I was trying to access https://192.168.56.31:9441/nifi from windows maching and said address 192.168.56.31 is of local VM running centos 7.x. Earlier default certificate was not having safe IP 192.168.56.31, it was throwing error.

 

bin/tls-toolkit.sh standalone -n '192.168.56.31(2)' -C 'CN=username,OU=NIFI' --subjectAlternativeNames '192.168.56.31,0.0.0.0'

This has created necessary certificates and keystores. I have copied this keystores at appropriate nifi conf directory(excluding nifi.properties, to make sure, earlier configuration done is not messed up).

Once done, import generated .p12 certifcate and password file in chrome using settings->manage

certificates

master:[root]/root/nifi/nifi-toolkit-1.12.0>ll
total 92
-rw-r--r--.  1 root root  6673 Jan 22  2020 NOTICE
-rw-r--r--.  1 root root 41590 Jan 22  2020 LICENSE
drwxr-xr-x.  3 root root 12288 Jan 22  2020 lib
drwxr-xr-x.  3 root root    69 Jan 22  2020 classpath
drwxr-xr-x.  4 root root   160 Sep 10 17:36 target
drwxr-xr-x.  2 root root   194 Sep 15 21:11 conf
drwxr-xr-x.  4 root root  4096 Sep 15 21:14 bin
-rw-------.  1 root root  1196 Sep 17 10:17 nifi-cert.pem
-rw-------.  1 root root  1679 Sep 17 10:17 nifi-key.key
drwx------.  2 root root    71 Sep 17 10:17 node1.nifi
drwx------.  2 root root    71 Sep 17 10:18 node2.nifi
drwxr-xr-x.  5 root root   148 Sep 17 10:25 ..
drwx------.  2 root root    71 Sep 17 16:26 192.168.56.31
drwx------.  2 root root    71 Sep 17 16:26 192.168.56.31_2
-rw-------.  1 root root  3469 Sep 17 16:26 CN=username_OU=NIFI.p12
drwxr-xr-x. 11 root root  4096 Sep 17 16:26 .
-rw-------.  1 root root    43 Sep 17 16:26 CN=username_OU=NIFI.password

Above shows generated .p12 file and other configurations.

In chrome, after importing certificates, it looks like this:

parag_somani_0-1600405912987.png

 

UI looks like below:

parag_somani_1-1600406021012.png

 

View solution in original post

5 REPLIES 5
Highlighted

Re: NiFi Error javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified

New Contributor

I solve this problem my self Using 'KeyStore Explore'.

SubjectAlternativeName [
DNSName: x.x.x.x
IPAddress: x.x.x.x
]

Re: NiFi Error javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified

Explorer

Hi @juhee13_kim ,

How did you resolved the issue. I am also getting the same exception.

An unexpected error has occurred
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXXXXXX not verified: certificate: sha256/Kt0

 

Any help is apprecieted.

Highlighted

Re: NiFi Error javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified

New Contributor

how to add the IPAddress into the SubjectAlternativeName with the tls-toolkit.sh?

Highlighted

Re: NiFi Error javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified

New Contributor

I have also faced the same issue, where i was running two instances of nifi on VM. As forwarding of ports and its connectivitiy from host browser(like chrome) are having issues, I recreated certificates using SAN - subjectAltNames using tls-toolkit.

 

I was trying to access https://192.168.56.31:9441/nifi from windows maching and said address 192.168.56.31 is of local VM running centos 7.x. Earlier default certificate was not having safe IP 192.168.56.31, it was throwing error.

 

bin/tls-toolkit.sh standalone -n '192.168.56.31(2)' -C 'CN=username,OU=NIFI' --subjectAlternativeNames '192.168.56.31,0.0.0.0'

This has created necessary certificates and keystores. I have copied this keystores at appropriate nifi conf directory(excluding nifi.properties, to make sure, earlier configuration done is not messed up).

Once done, import generated .p12 certifcate and password file in chrome using settings->manage

certificates

master:[root]/root/nifi/nifi-toolkit-1.12.0>ll
total 92
-rw-r--r--.  1 root root  6673 Jan 22  2020 NOTICE
-rw-r--r--.  1 root root 41590 Jan 22  2020 LICENSE
drwxr-xr-x.  3 root root 12288 Jan 22  2020 lib
drwxr-xr-x.  3 root root    69 Jan 22  2020 classpath
drwxr-xr-x.  4 root root   160 Sep 10 17:36 target
drwxr-xr-x.  2 root root   194 Sep 15 21:11 conf
drwxr-xr-x.  4 root root  4096 Sep 15 21:14 bin
-rw-------.  1 root root  1196 Sep 17 10:17 nifi-cert.pem
-rw-------.  1 root root  1679 Sep 17 10:17 nifi-key.key
drwx------.  2 root root    71 Sep 17 10:17 node1.nifi
drwx------.  2 root root    71 Sep 17 10:18 node2.nifi
drwxr-xr-x.  5 root root   148 Sep 17 10:25 ..
drwx------.  2 root root    71 Sep 17 16:26 192.168.56.31
drwx------.  2 root root    71 Sep 17 16:26 192.168.56.31_2
-rw-------.  1 root root  3469 Sep 17 16:26 CN=username_OU=NIFI.p12
drwxr-xr-x. 11 root root  4096 Sep 17 16:26 .
-rw-------.  1 root root    43 Sep 17 16:26 CN=username_OU=NIFI.password

Above shows generated .p12 file and other configurations.

In chrome, after importing certificates, it looks like this:

parag_somani_0-1600405912987.png

 

UI looks like below:

parag_somani_1-1600406021012.png

 

View solution in original post

Highlighted

Re: NiFi Error javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified

New Contributor

Thanks Parag!

For shareing this information , with your solution we are able to fix our issue good job!

Don't have an account?
Coming from Hortonworks? Activate your account here