Support Questions

Find answers, ask questions, and share your expertise

[NiFi] Help setting S2S with itself (localhost)

avatar
Contributor

Hi i'm having a problem with self S2S reports, it's a NIFI 1.11.3 standalone (no cluster) linux deployment, this is the related configuration:

 

# Site to Site properties
nifi.remote.input.host=localhost
nifi.remote.input.secure=true
nifi.remote.input.socket.port=10443
nifi.remote.input.http.enabled=true
nifi.remote.input.http.transaction.ttl=30 sec
nifi.remote.contents.cache.expiration=30 secs
# web properties #
nifi.web.war.directory=./lib
nifi.web.http.host=
nifi.web.http.port=
nifi.web.http.network.interface.default=
nifi.web.https.host=my.domain.com
nifi.web.https.port=8443
nifi.web.https.network.interface.default=
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200
nifi.web.max.header.size=16 KB
nifi.web.proxy.context.path=
nifi.web.proxy.host=
nifi.security.keystore=./conf/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=xxxxxxxxxxxx
nifi.security.keyPasswd=xxxxxxxxxxxxxxxx
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=xxxxxxxxxxxxxxxxx
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=

 

And the processor configuration, StandardRestrictedSSLContextService (using the self signed keystore from nifi that allows it to work securely)

Alexandros_0-1589566205711.png

And the SiteToSiteBulletinReportingTask:

Alexandros_1-1589566349735.png

with that configuration I receive this errors:

SiteToSiteBulletinReportingTask[id=017111a7-83c2-1c18-25d3-ad4d5f780eb1] Error running task SiteToSiteBulletinReportingTask[id=017111a7-83c2-1c18-25d3-ad4d5f780eb1] due to org.apache.nifi.processor.exception.ProcessException: Failed to send Bulletins to destination due to IOException:null
SiteToSiteBulletinReportingTask[id=017111a7-83c2-1c18-25d3-ad4d5f780eb1] org.apache.nifi.remote.client.PeerSelector@1e7445c6 Unable to refresh Remote Group's peers due to null

If i change http to https I receive:

SiteToSiteBulletinReportingTask[id=017111a7-83c2-1c18-25d3-ad4d5f780eb1] Error running task SiteToSiteBulletinReportingTask[id=017111a7-83c2-1c18-25d3-ad4d5f780eb1] due to org.apache.nifi.processor.exception.ProcessException: Failed to send Bulletins to destination due to IOException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

To test if Nifi could see itself I tried this, it's about the self signed certificate, so it seems ok:

 

curl  https://host123.internal:8443/nifi
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

 

Ignoring the certificate I reach Jetty:

 

curl --insecure -I  https://host123.internal:8443/nifi
HTTP/1.1 302 Found
Date: Fri, 15 May 2020 18:21:49 GMT
Location: https://host123.internal:8443/nifi/
Content-Length: 0
Server: Jetty(9.4.19.v20190610)

 

 To secure the connection on installation (http to https) I used the security toolkit and copied the files to their locations under the nifi/conf folder as seen on the configuration file at top of the post:

 

./bin/tls-toolkit.sh standalone -n 'localhost(1)' -C 'CN=my_user,OU=NIFI' -O -o ../security_output

 

Any idea of what can I be doing wrong with the S2S configuration?

Thanks!

4 REPLIES 4

avatar
Contributor

Hi, sorry for the bump, I don't know what other things to try, any lead will help.

Thank you!

avatar
Expert Contributor

I can not see any value defined for SSL Context Service under SiteToSiteBulletinReportingTask property, hence try after configuring  ssl context service. You can refer the below article for help:

 

https://pierrevillard.com/2017/05/13/monitoring-nifi-site2site-reporting-tasks/

avatar
Contributor

Hi, it seems I forgot to set that varialble for the clean test I made to make the post, this is current setting:

Alexandros_1-1590324588750.png

and this is the error I get with the context added:

Alexandros_0-1590324415454.png

Thank you!

 

 

avatar
Expert Contributor

It seems you have configured your RPG to connect to a NiFi instance and during TLS handshake there is no correct SAN (Subject Alternative Name) found in Nifi certificates , hence you need to add the host FQDN to the server cert as a SAN.