Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Securing NiFi - Cannot see UI

Solved Go to solution

Securing NiFi - Cannot see UI

New Contributor

Hi folks,

 

We have been struggling for the past 3 weeks trying to secure a cluster.

We have 3 nodes. They were working ok in a cluster (but not secured).

When trying to secure those (and following the guide suggested here), we came across the following message when trying to access the UI:

 

javax.net.ssl.SSLPeerUnverifiedException: Hostname <my_fqdn_is_here> not verified: certificate: sha256/716mOuXyoAKqzNrXrNnG2ozHXwN8WWJsVxzWzfQzpNV= DN: CN=xxx-xxxx-xxxx.xxx.xxx.net, OU=XXXXXXXXX XXXXXX, O=XXXXX, L=XXXXXX, ST=XXXXXX XXXXX, C=CA subjectAltNames: [] 

 

We've been going over and over the configs and nothing seems to point to the right direction.

Would anyone point us to at least the right direction? 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Securing NiFi - Cannot see UI

Master Guru

@frassis 

 

The error message you have encountered indicates and issue with the certificates you are using to secure your NiFi nodes.

 

javax.net.ssl.SSLPeerUnverifiedException: Hostname <my_fqdn_is_here> not verified: certificate: sha256/716mOuXyoAKqzNrXrNnG2ozHXwN8WWJsVxzWzfQzpNV= DN: CN=xxx-xxxx-xxxx.xxx.xxx.net, OU=XXXXXXXXX XXXXXX, O=XXXXX, L=XXXXXX, ST=XXXXXX XXXXX, C=CA subjectAltNames: [] 


Jetty no longer uses the DN to verify hostnames and now requires that the certificates include at least 1 Subject Alternative Name (SAN) entry that matches the hostname of the server on which it is being used.

As you can see from the ERROR output, it indicates you have no SAN entries in your cert.  

subjectAltNames: []

 

You will need to generate new certificates and keystores for your NiFi nodes.
When doing so keep in mind the following:
1. Keystore may contain ONLY 1 PrivateKeyEntry
2. The PrivateKeyEntry MUST support both "clientAuth" and "serverAuth"
3. The PrivateKeyEntry MUST contain at least 1 SAN entry matching the hostname of the server where keystore will be used.
4. The Keystore and Key passwords must be the same. Or no key password set.

Thank you,

Matt

4 REPLIES 4

Re: Securing NiFi - Cannot see UI

Community Manager

@frassis You wrote that you were " following the guide suggested here", but there was no indication as to what guide you were actually following. Did you perhaps forget the hyperlink?

 

 

 

 

Bill Brooks, Community Manager
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Highlighted

Re: Securing NiFi - Cannot see UI

Master Guru

@frassis 

 

The error message you have encountered indicates and issue with the certificates you are using to secure your NiFi nodes.

 

javax.net.ssl.SSLPeerUnverifiedException: Hostname <my_fqdn_is_here> not verified: certificate: sha256/716mOuXyoAKqzNrXrNnG2ozHXwN8WWJsVxzWzfQzpNV= DN: CN=xxx-xxxx-xxxx.xxx.xxx.net, OU=XXXXXXXXX XXXXXX, O=XXXXX, L=XXXXXX, ST=XXXXXX XXXXX, C=CA subjectAltNames: [] 


Jetty no longer uses the DN to verify hostnames and now requires that the certificates include at least 1 Subject Alternative Name (SAN) entry that matches the hostname of the server on which it is being used.

As you can see from the ERROR output, it indicates you have no SAN entries in your cert.  

subjectAltNames: []

 

You will need to generate new certificates and keystores for your NiFi nodes.
When doing so keep in mind the following:
1. Keystore may contain ONLY 1 PrivateKeyEntry
2. The PrivateKeyEntry MUST support both "clientAuth" and "serverAuth"
3. The PrivateKeyEntry MUST contain at least 1 SAN entry matching the hostname of the server where keystore will be used.
4. The Keystore and Key passwords must be the same. Or no key password set.

Thank you,

Matt

Re: Securing NiFi - Cannot see UI

New Contributor

Hey @MattWho, thank you very much for this.

 

Quick question, how do you determine if the PrivateKeyEntry supports both?

 

"The PrivateKeyEntry MUST support both "clientAuth" and "serverAuth""? 

 

I don't see this when i use keytool -v

Re: Securing NiFi - Cannot see UI

New Contributor

Thanks Matt,

 

With new certs, like you mentioned, we were able to make it work.

Don't have an account?
Coming from Hortonworks? Activate your account here