Support Questions

Find answers, ask questions, and share your expertise

NiFi single user Certificate and Token not found

avatar
Explorer

Hello,

 

Hello,

I've been trying to setup NiFi with single user authentication but got stuck in a "Access Unknown: Certificate and Token not found" error, and I'm unable to find a solution. Any help would be greatily apreciate.

So, I'm trying to deploy in a remote machine with Docker, with authentication provided by NiFi, using a Nginx as reverse proxy.

Maybe I have to pass p12 file to NiFi, but I have no idea how to proced.

My docker-compose file is as follows

 

version: '3.9'

x-base: &base
  image: apache/nifi:1.16.2
  networks:
    - nifi

x-nifi-environment: &nifi-environment
  NIFI_WEB_HTTPS_PORT: 8443
  NIFI_CLUSTER_IS_NODE: "true"
  NIFI_ZK_CONNECT_STRING: "zookeeper:2181"
  NIFI_ELECTION_MAX_WAIT: "30 sec"
  NIFI_ELECTION_MAX_CANDIDATES: 2
  NIFI_SENSITIVE_PROPS_KEY: "my-random-string"
  NIFI_WEB_PROXY_CONTEXT_PATH: "//"
  NIFI_CLUSTER_NODE_PROTOCOL_PORT: 8082
  NIFI_WEB_PROXY_HOST: "nifi0:8443,nifi0,nifi0.mysite.com,nifi1:8443,nifi1,nifi1.mysite.com,nifi2:8443,nifi2,nifi2.mysite.com,nifi.mysite.com"
  NIFI_WEB_HTTPS_HOST: "0.0.0.0"
  SINGLE_USER_CREDENTIALS_USERNAME: "my_admin"
  SINGLE_USER_CREDENTIALS_PASSWORD: "PASSWORD_GENERATED_BY_NIFI_TOOLKIT"
  AUTH: "tls"
  KEYSTORE_PATH: "/opt/certs/keystore.jks"
  KEYSTORE_TYPE: "JKS"
  KEYSTORE_PASSWORD: "KEYSTORE_PASSWORD_GENERATED_BY_NIFI_TOOLKIT"
  TRUSTSTORE_PATH: "/opt/certs/truststore.jks"
  TRUSTSTORE_TYPE: "JKS"
  TRUSTSTORE_PASSWORD: "TRUSTSTORE_PASSWORD_GENERATED_BY_NIFI_TOOLKIT"
  NIFI_SECURITY_USER_AUTHORIZER: "single-user-authorizer"
  NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER: "single-user-provider"
  INITIAL_ADMIN_IDENTITY: "CN=my_admin, OU=NiFi"

services:
  zookeeper:
    container_name: zookeeper
    image: bitnami/zookeeper:3.8.0
    environment:
      - ALLOW_ANONYMOUS_LOGIN=yes
    networks:
      - nifi

  nifi0:
    <<: *base
    container_name: nifi0
    volumes:
      - nifi_certs:/opt/certs:ro
      - nifi0_conf:/opt/nifi/nifi-current/conf
      - nifi0_extensions:/opt/nifi/nifi-current/extensions
      - nifi0_database_repository:/opt/nifi/nifi-current/database_repository
      - nifi0_flowfile_repository:/opt/nifi/nifi-current/flowfile_repository
      - nifi0_content_repository:/opt/nifi/nifi-current/content_repository
      - nifi0_provenance_repository:/opt/nifi/nifi-current/provenance_repository
      - nifi0_state:/opt/nifi/nifi-current/state
      - nifi0_logs:/opt/nifi/nifi-current/logs
    environment:
      <<: *nifi-environment
      NIFI_CLUSTER_ADDRESS: "nifi0"
    networks:
      - nifi
      - npm_bridge

  nifi1:
    <<: *base
    container_name: nifi1
    volumes:
      - nifi_certs:/opt/certs:ro
      - nifi1_conf:/opt/nifi/nifi-current/conf
      - nifi1_extensions:/opt/nifi/nifi-current/extensions
      - nifi1_database_repository:/opt/nifi/nifi-current/database_repository
      - nifi1_flowfile_repository:/opt/nifi/nifi-current/flowfile_repository
      - nifi1_content_repository:/opt/nifi/nifi-current/content_repository
      - nifi1_provenance_repository:/opt/nifi/nifi-current/provenance_repository
      - nifi1_state:/opt/nifi/nifi-current/state
      - nifi1_logs:/opt/nifi/nifi-current/logs
    environment:
      <<: *nifi-environment
      NIFI_CLUSTER_ADDRESS: "nifi1"
    networks:
      - nifi
      - npm_bridge

networks:
  nifi:
    driver: bridge
  npm_bridge:
    external: true
volumes:
  nifi_certs:
    external: true
  # nifi 0
  nifi0_conf:
  nifi0_extensions:
  nifi0_database_repository:
  nifi0_flowfile_repository:
  nifi0_content_repository:
  nifi0_provenance_repository:
  nifi0_state:
  nifi0_logs:
  # nifi 1
  nifi1_conf:
  nifi1_extensions:
  nifi1_database_repository:
  nifi1_flowfile_repository:
  nifi1_content_repository:
  nifi1_provenance_repository:
  nifi1_state:
  nifi1_logs:


 

I'm using Nginx Proxy Manager, so my config is as follows

 

server {
set $forward_scheme https;
set $server "nifi0";
set $port 8443;

listen 80;
listen 443 ssl http2;

server_name nifi0.mysite.com;

# Let's Encrypt SSL
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/ssl-ciphers.conf;
# letsencrypt certificate
ssl_certificate /etc/letsencrypt/live/npm-1/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/npm-1/privkey.pem;
# Block Exploits
include conf.d/include/block-exploits.conf;
# Force SSL
include conf.d/include/force-ssl.conf;
access_log /data/logs/proxy-host-3_access.log proxy;
error_log /data/logs/proxy-host-3_error.log warn;

# My actual configuration
location / {
proxy_set_header X-ProxyScheme https;
proxy_set_header X-ProxyHost $host;
proxy_set_header X-ProxyPort 443;
proxy_set_header X-ProxyContextPath /;
proxy_set_header X-ProxiedEntitiesChain <$ssl_client_s_dn>;
proxy_pass $forward_scheme://$server:$port$request_uri;
}

# Custom
include /data/nginx/custom/server_proxy[.]conf;
}

 

The error is:

NiFi login errorNiFi login error

But no error is generated at nifi-user.log file.

 

Thank you.

1 ACCEPTED SOLUTION

avatar
Super Guru

Hi, @Arqui ,

 

I've made a few changes to your docker-compose.yml file to automatically generate certificates and set credentials. Please check it out here.

 

You don't need to provide or configure anything manually. Just start the docker composer, connect to https://localhost:8443/nifi and authenticate with admin/supersecret1 (you can change username and password in the compose configuration.

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

7 REPLIES 7

avatar
Super Guru

@Arqui ,

 

Your initial admin should be simply:

  INITIAL_ADMIN_IDENTITY: "my_admin"

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Explorer

Hello @araujo, thank you so much for your response, I've changed "INITIAL_ADMIN_IDENTITY" value to "my_admin", but the same error has happend.

I'm trying to follow this tutorial: Setting Up a Secure Apache NiFi Registry, in his case, the bowser asks for the p12 cert file, in my case doesn't happen, maybe because it's running behind a proxy?

I've no idea how to pass this cert, I did try to import to the browser, but nothing happend, besides, informing the wrong user/pass it does say they're incorrect, and more, for this error, no log is generated, so I'm lost.

If you have any other idea, please let me know, thanks again.

avatar
Super Guru

Hi, @Arqui ,

 

I've made a few changes to your docker-compose.yml file to automatically generate certificates and set credentials. Please check it out here.

 

You don't need to provide or configure anything manually. Just start the docker composer, connect to https://localhost:8443/nifi and authenticate with admin/supersecret1 (you can change username and password in the compose configuration.

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Explorer

Hi @araujo.

It's working perfectly, thank you so much.
One last thing, before I was able to proxy via nginx, but now it gives connection refused, do you have an idea of where I should look for?
Thanks.

avatar
Super Guru

@Arqui ,

 

Are you running your nginx externally? How are you trying to connect?

 

Cheers,

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Explorer

Hi @araujo  I'm using Nginx Proxy Manager, in the same Docker, maybe was working before because the cert was not
I'm trying to connect via localhost.

avatar
Super Guru

@Arqui ,

 

I've added nginx as a load balancer/proxy to the compose file.

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.