Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Securing NiFi - Cannot see UI

avatar
New Contributor

Hi folks,

 

We have been struggling for the past 3 weeks trying to secure a cluster.

We have 3 nodes. They were working ok in a cluster (but not secured).

When trying to secure those (and following the guide suggested here), we came across the following message when trying to access the UI:

 

javax.net.ssl.SSLPeerUnverifiedException: Hostname <my_fqdn_is_here> not verified: certificate: sha256/716mOuXyoAKqzNrXrNnG2ozHXwN8WWJsVxzWzfQzpNV= DN: CN=xxx-xxxx-xxxx.xxx.xxx.net, OU=XXXXXXXXX XXXXXX, O=XXXXX, L=XXXXXX, ST=XXXXXX XXXXX, C=CA subjectAltNames: [] 

 

We've been going over and over the configs and nothing seems to point to the right direction.

Would anyone point us to at least the right direction? 

1 ACCEPTED SOLUTION

avatar
Super Mentor

@frassis 

 

The error message you have encountered indicates and issue with the certificates you are using to secure your NiFi nodes.

 

javax.net.ssl.SSLPeerUnverifiedException: Hostname <my_fqdn_is_here> not verified: certificate: sha256/716mOuXyoAKqzNrXrNnG2ozHXwN8WWJsVxzWzfQzpNV= DN: CN=xxx-xxxx-xxxx.xxx.xxx.net, OU=XXXXXXXXX XXXXXX, O=XXXXX, L=XXXXXX, ST=XXXXXX XXXXX, C=CA subjectAltNames: [] 


Jetty no longer uses the DN to verify hostnames and now requires that the certificates include at least 1 Subject Alternative Name (SAN) entry that matches the hostname of the server on which it is being used.

As you can see from the ERROR output, it indicates you have no SAN entries in your cert.  

subjectAltNames: []

 

You will need to generate new certificates and keystores for your NiFi nodes.
When doing so keep in mind the following:
1. Keystore may contain ONLY 1 PrivateKeyEntry
2. The PrivateKeyEntry MUST support both "clientAuth" and "serverAuth"
3. The PrivateKeyEntry MUST contain at least 1 SAN entry matching the hostname of the server where keystore will be used.
4. The Keystore and Key passwords must be the same. Or no key password set.

Thank you,

Matt

View solution in original post

4 REPLIES 4

avatar

@frassis You wrote that you were " following the guide suggested here", but there was no indication as to what guide you were actually following. Did you perhaps forget the hyperlink?

 

 

 

 

Bill Brooks, Community Moderator
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Super Mentor

@frassis 

 

The error message you have encountered indicates and issue with the certificates you are using to secure your NiFi nodes.

 

javax.net.ssl.SSLPeerUnverifiedException: Hostname <my_fqdn_is_here> not verified: certificate: sha256/716mOuXyoAKqzNrXrNnG2ozHXwN8WWJsVxzWzfQzpNV= DN: CN=xxx-xxxx-xxxx.xxx.xxx.net, OU=XXXXXXXXX XXXXXX, O=XXXXX, L=XXXXXX, ST=XXXXXX XXXXX, C=CA subjectAltNames: [] 


Jetty no longer uses the DN to verify hostnames and now requires that the certificates include at least 1 Subject Alternative Name (SAN) entry that matches the hostname of the server on which it is being used.

As you can see from the ERROR output, it indicates you have no SAN entries in your cert.  

subjectAltNames: []

 

You will need to generate new certificates and keystores for your NiFi nodes.
When doing so keep in mind the following:
1. Keystore may contain ONLY 1 PrivateKeyEntry
2. The PrivateKeyEntry MUST support both "clientAuth" and "serverAuth"
3. The PrivateKeyEntry MUST contain at least 1 SAN entry matching the hostname of the server where keystore will be used.
4. The Keystore and Key passwords must be the same. Or no key password set.

Thank you,

Matt

avatar
New Contributor

Hey @MattWho, thank you very much for this.

 

Quick question, how do you determine if the PrivateKeyEntry supports both?

 

"The PrivateKeyEntry MUST support both "clientAuth" and "serverAuth""? 

 

I don't see this when i use keytool -v

avatar
New Contributor

Thanks Matt,

 

With new certs, like you mentioned, we were able to make it work.